chore: bundle all osh charts
diff --git a/charts/barbican/.helmignore b/charts/barbican/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/barbican/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/barbican/Chart.yaml b/charts/barbican/Chart.yaml
new file mode 100644
index 0000000..75af00f
--- /dev/null
+++ b/charts/barbican/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Barbican
+home: https://docs.openstack.org/barbican/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: barbican
+sources:
+- https://opendev.org/openstack/barbican
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.12
diff --git a/charts/barbican/charts/helm-toolkit/Chart.yaml b/charts/barbican/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..26244bd
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.42
diff --git a/charts/barbican/charts/helm-toolkit/requirements.yaml b/charts/barbican/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/barbican/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..c1693aa
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/barbican/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..516d79e
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,514 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+ local A_FILE="$1"
+ awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f fd ]]; then
+ rm -f fd
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ fi
+ done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ get_backup_prefix $(cat $DB_BACKUP_FILES)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+ remove_old_remote_archives
+ done
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f8-
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..4cc898d
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/barbican/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/barbican/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_template.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/barbican/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/barbican/charts/helm-toolkit/values.yaml b/charts/barbican/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/barbican/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/barbican/requirements.lock b/charts/barbican/requirements.lock
new file mode 100644
index 0000000..ba8d219
--- /dev/null
+++ b/charts/barbican/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: 0.2.42
+digest: sha256:6525a5fedf1bf00b4d1b4d1cd20b0fba9808bf3b7e41cfd76abdfe7267bd4998
+generated: "2022-05-16T22:35:19.376340743Z"
diff --git a/charts/barbican/requirements.yaml b/charts/barbican/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/barbican/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: ">= 0.1.0"
diff --git a/charts/barbican/templates/bin/_barbican-test.sh.tpl b/charts/barbican/templates/bin/_barbican-test.sh.tpl
new file mode 100644
index 0000000..9f9fd97
--- /dev/null
+++ b/charts/barbican/templates/bin/_barbican-test.sh.tpl
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+openstack secret list
+
+# Come up with a random payload
+PAYLOAD=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`
+echo $PAYLOAD
+
+SECRET=`openstack secret store --name mysecret --payload ${PAYLOAD} | awk ' /href/ {print $5}'`
+
+openstack secret list
+
+openstack secret get $SECRET
+
+openstack secret get --payload $SECRET
+
+openstack secret delete $SECRET
+
+openstack secret list
diff --git a/charts/barbican/templates/bin/_barbican.sh.tpl b/charts/barbican/templates/bin/_barbican.sh.tpl
new file mode 100644
index 0000000..1ac7911
--- /dev/null
+++ b/charts/barbican/templates/bin/_barbican.sh.tpl
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ exec uwsgi --die-on-term --master --emperor /etc/barbican/vassals
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/barbican/templates/bin/_bootstrap.sh.tpl b/charts/barbican/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..6452d0a
--- /dev/null
+++ b/charts/barbican/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/barbican/templates/bin/_db-sync.sh.tpl b/charts/barbican/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..3fa5da5
--- /dev/null
+++ b/charts/barbican/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+barbican-db-manage upgrade
+
+{{- $kek := (index (index .Values.conf.barbican "simple_crypto_plugin" | default dict) "kek") | default "" }}
+{{- $old_kek := index .Values.conf.simple_crypto_kek_rewrap "old_kek" | default ""}}
+{{- if and (not (empty $old_kek)) (not (empty $kek)) }}
+set +x
+echo "Ensuring that project KEKs are wrapped with the target global KEK"
+/tmp/simple_crypto_kek_rewrap.py --old-kek="$(cat /tmp/old_kek)"
+{{- end }}
diff --git a/charts/barbican/templates/bin/_simple_crypto_kek_rewrap.py.tpl b/charts/barbican/templates/bin/_simple_crypto_kek_rewrap.py.tpl
new file mode 100644
index 0000000..7a52175
--- /dev/null
+++ b/charts/barbican/templates/bin/_simple_crypto_kek_rewrap.py.tpl
@@ -0,0 +1,158 @@
+#!/usr/bin/env python
+
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import argparse
+import base64
+import sys
+
+from cryptography import fernet
+from oslo_db.sqlalchemy import session
+from sqlalchemy import orm
+from sqlalchemy.orm import scoping
+
+from barbican.common import utils
+from barbican.model import models
+from barbican.plugin.crypto import simple_crypto
+
+# Use config values from simple_crypto
+CONF = simple_crypto.CONF
+
+
+class KekRewrap(object):
+
+ def __init__(self, conf, old_kek):
+ self.dry_run = False
+ self.db_engine = session.create_engine(conf.sql_connection)
+ self._session_creator = scoping.scoped_session(
+ orm.sessionmaker(
+ bind=self.db_engine,
+ autocommit=True
+ )
+ )
+ self.crypto_plugin = simple_crypto.SimpleCryptoPlugin(conf)
+ self.plugin_name = utils.generate_fullname_for(self.crypto_plugin)
+ self.decryptor = fernet.Fernet(old_kek.encode('utf-8'))
+ self.encryptor = fernet.Fernet(self.crypto_plugin.master_kek)
+
+ def rewrap_kek(self, project, kek):
+ with self.db_session.begin():
+ plugin_meta = kek.plugin_meta
+
+ # try to unwrap with the target kek, and if successful, skip
+ try:
+ if self.encryptor.decrypt(plugin_meta.encode('utf-8')):
+ print('Project KEK {} is already wrapped with target KEK, skipping'.format(kek.id))
+ return
+ except fernet.InvalidToken:
+ pass
+
+ # decrypt with the old kek
+ print('Unwrapping Project KEK {}'.format(kek.id))
+ try:
+ decrypted_plugin_meta = self.decryptor.decrypt(plugin_meta.encode('utf-8'))
+ except fernet.InvalidToken:
+ print('Failed to unwrap Project KEK {}'.format(kek.id))
+ raise
+
+ # encrypt with the new kek
+ print('Rewrapping Project KEK {}'.format(kek.id))
+ try:
+ new_plugin_meta = self.encryptor.encrypt(decrypted_plugin_meta).decode('utf-8')
+ except fernet.InvalidToken:
+ print('Failed to wrap Project KEK {}'.format(kek.id))
+ raise
+
+ if self.dry_run:
+ return
+
+ # Update KEK metadata in DB
+ print('Storing updated Project KEK {}'.format(kek.id))
+ kek.plugin_meta = new_plugin_meta
+
+ def get_keks_for_project(self, project):
+ keks = []
+ with self.db_session.begin() as transaction:
+ print('Retrieving KEKs for Project {}'.format(project.external_id))
+ query = transaction.session.query(models.KEKDatum)
+ query = query.filter_by(project_id=project.id)
+ query = query.filter_by(plugin_name=self.plugin_name)
+
+ keks = query.all()
+
+ return keks
+
+ def get_projects(self):
+ print('Retrieving all available projects')
+
+ projects = []
+ with self.db_session.begin() as transaction:
+ projects = transaction.session.query(models.Project).all()
+
+ return projects
+
+ @property
+ def db_session(self):
+ return self._session_creator()
+
+ def execute(self, dry_run=True):
+ self.dry_run = dry_run
+ if self.dry_run:
+ print('-- Running in dry-run mode --')
+
+ projects = self.get_projects()
+ successes = []
+ failures = []
+
+ for project in projects:
+ keks = self.get_keks_for_project(project)
+ for kek in keks:
+ try:
+ self.rewrap_kek(project, kek)
+ successes.append(kek.id)
+ except Exception:
+ failures.append(kek.id)
+
+ if successes:
+ print('Sucessfully processed the following KEKs:')
+ print('\n'.join(successes))
+
+ if failures:
+ print('Failed to rewrap the following KEKs:')
+ print('\n'.join(failures))
+ sys.exit(1)
+
+
+def main():
+ script_desc = 'Utility to re-wrap Project KEKs after rotating the global KEK.'
+
+ parser = argparse.ArgumentParser(description=script_desc)
+ parser.add_argument(
+ '--dry-run',
+ action='store_true',
+ help='Displays changes that will be made (Non-destructive)'
+ )
+ parser.add_argument(
+ '--old-kek',
+ default='dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=',
+ help='Old key encryption key previously used by Simple Crypto Plugin. '
+ '(32 bytes, base64-encoded)'
+ )
+ args = parser.parse_args()
+
+ rewrapper = KekRewrap(CONF, args.old_kek)
+ rewrapper.execute(args.dry_run)
+
+
+if __name__ == '__main__':
+ main()
diff --git a/charts/barbican/templates/configmap-bin.yaml b/charts/barbican/templates/configmap-bin.yaml
new file mode 100644
index 0000000..0b86060
--- /dev/null
+++ b/charts/barbican/templates/configmap-bin.yaml
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: barbican-bin
+data:
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+ bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+ barbican-test.sh: |
+{{ tuple "bin/_barbican-test.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+ db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+ barbican.sh: |
+{{ tuple "bin/_barbican.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+ ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+ ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+ rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+ simple_crypto_kek_rewrap.py: |
+{{ tuple "bin/_simple_crypto_kek_rewrap.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/barbican/templates/configmap-etc.yaml b/charts/barbican/templates/configmap-etc.yaml
new file mode 100644
index 0000000..c8e08cb
--- /dev/null
+++ b/charts/barbican/templates/configmap-etc.yaml
@@ -0,0 +1,104 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.barbican.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.barbican.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.barbican.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.barbican.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.barbican.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "region_name" .Values.endpoints.identity.auth.barbican.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "project_name" .Values.endpoints.identity.auth.barbican.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.barbican.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.barbican.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "username" .Values.endpoints.identity.auth.barbican.username -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "password" .Values.endpoints.identity.auth.barbican.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.barbican.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.barbican.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.barbican.DEFAULT.sql_connection -}}
+{{- $connection := tuple "oslo_db" "internal" "barbican" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.barbican.DEFAULT "sql_connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.barbican.DEFAULT "sql_connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.barbican.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "barbican" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.barbican.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- $barbicanPath := index .Values "endpoints" "key_manager" "path" "default" }}
+{{- if empty .Values.conf.barbican.DEFAULT.host_href -}}
+{{- $_ := tuple "key_manager" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix $barbicanPath | set .Values.conf.barbican.DEFAULT "host_href" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.barbican.barbican_api.bind_port -}}
+{{- $_ := tuple "key_manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.barbican.barbican_api "bind_port" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.barbican_api.uwsgi.socket -}}
+{{- $_ := printf ":%s" ( tuple "key_manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" ) | set .Values.conf.barbican_api.uwsgi "socket" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: barbican-etc
+type: Opaque
+data:
+ barbican.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.barbican | b64enc }}
+ logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+ barbican-api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
+ api_audit_map.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.audit_map | b64enc }}
+ policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+ barbican-api.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.barbican_api | b64enc }}
+ old_kek: {{ index .Values.conf.simple_crypto_kek_rewrap "old_kek" | default "" | b64enc | quote }}
+{{- end }}
diff --git a/charts/barbican/templates/deployment-api.yaml b/charts/barbican/templates/deployment-api.yaml
new file mode 100644
index 0000000..9033971
--- /dev/null
+++ b/charts/barbican/templates/deployment-api.yaml
@@ -0,0 +1,131 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_barbican_api := .Values.pod.mounts.barbican_api.barbican_api }}
+{{- $mounts_barbican_api_init := .Values.pod.mounts.barbican_api.init_container }}
+
+{{- $serviceAccountName := "barbican-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: barbican-api
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.api }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "barbican-api" "containerNames" (list "init" "barbican-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "barbican" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.barbican.enabled }}
+{{ tuple $envAll "barbican" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ initContainers:
+{{ tuple $envAll "api" $mounts_barbican_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: barbican-api
+{{ tuple $envAll "barbican_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "barbican" "container" "barbican_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/barbican.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/barbican.sh
+ - stop
+ ports:
+ - name: b-api
+ containerPort: {{ tuple "key_manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ tuple "key_manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcbarbican
+ mountPath: /etc/barbican
+ - name: barbican-etc
+ mountPath: /etc/barbican/vassals/barbican-api.ini
+ subPath: barbican-api.ini
+ readOnly: true
+ - name: barbican-etc
+ mountPath: /etc/barbican/barbican.conf
+ subPath: barbican.conf
+ readOnly: true
+ {{- if .Values.conf.barbican.DEFAULT.log_config_append }}
+ - name: barbican-etc
+ mountPath: {{ .Values.conf.barbican.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.barbican.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: barbican-etc
+ mountPath: /etc/barbican/api_audit_map.conf
+ subPath: api_audit_map.conf
+ readOnly: true
+ - name: barbican-etc
+ mountPath: /etc/barbican/barbican-api-paste.ini
+ subPath: barbican-api-paste.ini
+ readOnly: true
+ - name: barbican-etc
+ mountPath: /etc/barbican/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: barbican-bin
+ mountPath: /tmp/barbican.sh
+ subPath: barbican.sh
+ readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_barbican_api.volumeMounts }}{{ toYaml $mounts_barbican_api.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: etcbarbican
+ emptyDir: {}
+ - name: barbican-etc
+ secret:
+ secretName: barbican-etc
+ defaultMode: 0444
+ - name: barbican-bin
+ configMap:
+ name: barbican-bin
+ defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_barbican_api.volumes }}{{ toYaml $mounts_barbican_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/barbican/templates/ingress-api.yaml b/charts/barbican/templates/ingress-api.yaml
new file mode 100644
index 0000000..6105887
--- /dev/null
+++ b/charts/barbican/templates/ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "key_manager" "backendPort" "b-api" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-bootstrap.yaml b/charts/barbican/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..ced8bc3
--- /dev/null
+++ b/charts/barbican/templates/job-bootstrap.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "barbican" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.barbican.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-db-drop.yaml b/charts/barbican/templates/job-db-drop.yaml
new file mode 100644
index 0000000..b6f0a6f
--- /dev/null
+++ b/charts/barbican/templates/job-db-drop.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $serviceName := "barbican" -}}
+{{- $dbToDrop := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "DEFAULT" "configDbKey" "sql_connection" -}}
+{{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbToDrop" $dbToDrop -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbToDrop "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-db-init.yaml b/charts/barbican/templates/job-db-init.yaml
new file mode 100644
index 0000000..afe16dc
--- /dev/null
+++ b/charts/barbican/templates/job-db-init.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $serviceName := "barbican" -}}
+{{- $dbToInit := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "DEFAULT" "configDbKey" "sql_connection" -}}
+{{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbToInit" $dbToInit "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-db-sync.yaml b/charts/barbican/templates/job-db-sync.yaml
new file mode 100644
index 0000000..587be68
--- /dev/null
+++ b/charts/barbican/templates/job-db-sync.yaml
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+{{- end }}
+
+{{- $podVolMounts := .Values.pod.mounts.barbican_db_sync.barbican_db_sync.volumeMounts | default list }}
+{{- $podVolMounts = append $podVolMounts (dict "name" "db-sync-sh" "mountPath" "/tmp/simple_crypto_kek_rewrap.py" "subPath" "simple_crypto_kek_rewrap.py" "readOnly" true) }}
+{{- $podVolMounts = append $podVolMounts (dict "name" "db-sync-conf" "mountPath" "/tmp/old_kek" "subPath" "old_kek" "readOnly" true) }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "barbican" "podVolMounts" $podVolMounts "podVols" .Values.pod.mounts.barbican_db_sync.barbican_db_sync.volumes "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-image-repo-sync.yaml b/charts/barbican/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..5faccb1
--- /dev/null
+++ b/charts/barbican/templates/job-image-repo-sync.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "barbican" "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-ks-endpoints.yaml b/charts/barbican/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..023f58e
--- /dev/null
+++ b/charts/barbican/templates/job-ks-endpoints.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "barbican" "serviceTypes" ( tuple "key-manager" ) "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-ks-service.yaml b/charts/barbican/templates/job-ks-service.yaml
new file mode 100644
index 0000000..c0e0683
--- /dev/null
+++ b/charts/barbican/templates/job-ks-service.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "barbican" "serviceTypes" ( tuple "key-manager" ) "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-ks-user.yaml b/charts/barbican/templates/job-ks-user.yaml
new file mode 100644
index 0000000..e16e033
--- /dev/null
+++ b/charts/barbican/templates/job-ks-user.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "barbican" "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/barbican/templates/job-rabbit-init.yaml b/charts/barbican/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..75bb5fc
--- /dev/null
+++ b/charts/barbican/templates/job-rabbit-init.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+{{- if .Values.helm3_hook }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "barbican" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}}
+{{- if .Values.pod.tolerations.barbican.enabled -}}
+{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/barbican/templates/network_policy.yaml b/charts/barbican/templates/network_policy.yaml
new file mode 100644
index 0000000..1c50699
--- /dev/null
+++ b/charts/barbican/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "barbican" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/barbican/templates/pdb-api.yaml b/charts/barbican/templates/pdb-api.yaml
new file mode 100644
index 0000000..e155d76
--- /dev/null
+++ b/charts/barbican/templates/pdb-api.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: barbican-api
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/barbican/templates/pod-test.yaml b/charts/barbican/templates/pod-test.yaml
new file mode 100644
index 0000000..f414356
--- /dev/null
+++ b/charts/barbican/templates/pod-test.yaml
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_test }}
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.static.tests }}
+
+{{- $mounts_barbican_tests := .Values.pod.mounts.barbican_tests.barbican_tests }}
+{{- $mounts_barbican_tests_init := .Values.pod.mounts.barbican_tests.init_container }}
+
+{{- $serviceAccountName := print .Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{.Release.Name}}-test"
+ labels:
+{{ tuple $envAll "barbican" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ "helm.sh/hook": test-success
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "barbican-test" "containerNames" (list "init" "barbican-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
+ nodeSelector:
+ {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.barbican.enabled }}
+{{ tuple $envAll "barbican" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }}
+{{ end }}
+ restartPolicy: Never
+ initContainers:
+{{ tuple $envAll "tests" $mounts_barbican_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+ containers:
+ - name: barbican-test
+{{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "barbican_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+ command:
+ - /tmp/barbican-test.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: barbican-bin
+ mountPath: /tmp/barbican-test.sh
+ subPath: barbican-test.sh
+ readOnly: true
+{{ if $mounts_barbican_tests.volumeMounts }}{{ toYaml $mounts_barbican_tests.volumeMounts | indent 8 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: barbican-bin
+ configMap:
+ name: barbican-bin
+ defaultMode: 0555
+{{ if $mounts_barbican_tests.volumes }}{{ toYaml $mounts_barbican_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/barbican/templates/secret-db.yaml b/charts/barbican/templates/secret-db.yaml
new file mode 100644
index 0000000..a2ac53b
--- /dev/null
+++ b/charts/barbican/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "barbican" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+ DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+ DB_CONNECTION: {{ $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/templates/secret-ingress-tls.yaml b/charts/barbican/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..ff4678a
--- /dev/null
+++ b/charts/barbican/templates/secret-ingress-tls.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key_manager" ) }}
+{{- end }}
diff --git a/charts/barbican/templates/secret-keystone.yaml b/charts/barbican/templates/secret-keystone.yaml
new file mode 100644
index 0000000..845b476
--- /dev/null
+++ b/charts/barbican/templates/secret-keystone.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "barbican" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/templates/secret-rabbitmq.yaml b/charts/barbican/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..b66c828
--- /dev/null
+++ b/charts/barbican/templates/secret-rabbitmq.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "barbican" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/barbican/templates/service-api.yaml b/charts/barbican/templates/service-api.yaml
new file mode 100644
index 0000000..0f63ee3
--- /dev/null
+++ b/charts/barbican/templates/service-api.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "key-manager" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: b-api
+ port: {{ tuple "key-manager" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.api.node_port.enabled }}
+ nodePort: {{ .Values.network.api.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.api.node_port.enabled }}
+ type: NodePort
+ {{ if .Values.network.api.external_policy_local }}
+ externalTrafficPolicy: Local
+ {{ end }}
+ {{ end }}
+{{- end }}
diff --git a/charts/barbican/templates/service-ingress-api.yaml b/charts/barbican/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..c4a9d87
--- /dev/null
+++ b/charts/barbican/templates/service-ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/barbican/values.yaml b/charts/barbican/values.yaml
new file mode 100644
index 0000000..5bd154e
--- /dev/null
+++ b/charts/barbican/values.yaml
@@ -0,0 +1,681 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for barbican.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+labels:
+ api:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ job:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ test:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+release_group: null
+
+# NOTE(philsphicas): the pre-install hook breaks upgrade for helm2
+# Set to false to upgrade using helm2
+helm3_hook: true
+
+images:
+ tags:
+ bootstrap: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ scripted_test: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+ db_init: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+ barbican_db_sync: docker.io/openstackhelm/barbican:ussuri-ubuntu_bionic
+ db_drop: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+ ks_user: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+ ks_service: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+ ks_endpoints: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+ barbican_api: docker.io/openstackhelm/barbican:ussuri-ubuntu_bionic
+ rabbit_init: docker.io/rabbitmq:3.7-management
+ image_repo_sync: docker.io/docker:17.07.0
+ pull_policy: "IfNotPresent"
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+pod:
+ security_context:
+ barbican:
+ pod:
+ runAsUser: 42424
+ container:
+ barbican_api:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ test:
+ pod:
+ runAsUser: 42424
+ container:
+ barbican_test:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ weight:
+ default: 10
+ tolerations:
+ barbican:
+ enabled: false
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ effect: NoSchedule
+ mounts:
+ barbican_api:
+ init_container: null
+ barbican_api:
+ volumeMounts:
+ volumes:
+ barbican_bootstrap:
+ init_container: null
+ barbican_bootstrap:
+ volumeMounts:
+ volumes:
+ barbican_tests:
+ init_container: null
+ barbican_tests:
+ volumeMounts:
+ volumes:
+ barbican_db_sync:
+ barbican_db_sync:
+ volumeMounts:
+ volumes:
+ replicas:
+ api: 1
+ lifecycle:
+ upgrades:
+ deployments:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+ disruption_budget:
+ api:
+ min_available: 0
+ resources:
+ enabled: false
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ bootstrap:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_drop:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ rabbit_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_endpoints:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_service:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_user:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ tests:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+
+network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ external_policy_local: false
+ node_port:
+ enabled: false
+ port: 30486
+
+network_policy:
+ barbican:
+ ingress:
+ - {}
+ egress:
+ - {}
+
+bootstrap:
+ enabled: false
+ ks_user: barbican
+ script: |
+ openstack token issue
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - barbican-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ api:
+ jobs:
+ - barbican-db-sync
+ - barbican-ks-user
+ - barbican-ks-endpoints
+ - barbican-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: oslo_messaging
+ db_drop:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_init:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_sync:
+ jobs:
+ - barbican-db-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+ ks_endpoints:
+ jobs:
+ - barbican-ks-service
+ services:
+ - endpoint: internal
+ service: identity
+ ks_service:
+ services:
+ - endpoint: internal
+ service: identity
+ ks_user:
+ services:
+ - endpoint: internal
+ service: identity
+ rabbit_init:
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+
+conf:
+ paste:
+ composite:main:
+ use: egg:Paste#urlmap
+ /: barbican_version
+ /v1: barbican-api-keystone
+ pipeline:barbican_version:
+ pipeline: cors http_proxy_to_wsgi versionapp
+ pipeline:barbican_api:
+ pipeline: cors http_proxy_to_wsgi unauthenticated-context apiapp
+ pipeline:barbican-profile:
+ pipeline: cors http_proxy_to_wsgi unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
+ pipeline:barbican-api-keystone:
+ pipeline: cors http_proxy_to_wsgi authtoken context apiapp
+ pipeline:barbican-api-keystone-audit:
+ pipeline: http_proxy_to_wsgi authtoken context audit apiapp
+ app:apiapp:
+ paste.app_factory: barbican.api.app:create_main_app
+ app:versionapp:
+ paste.app_factory: barbican.api.app:create_version_app
+ filter:simple:
+ paste.filter_factory: barbican.api.middleware.simple:SimpleFilter.factory
+ filter:unauthenticated-context:
+ paste.filter_factory: barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory
+ filter:context:
+ paste.filter_factory: barbican.api.middleware.context:ContextMiddleware.factory
+ filter:audit:
+ paste.filter_factory: keystonemiddleware.audit:filter_factory
+ audit_map_file: /etc/barbican/api_audit_map.conf
+ filter:authtoken:
+ paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+ filter:profile:
+ use: egg:repoze.profile
+ log_filename: myapp.profile
+ cachegrind_filename: cachegrind.out.myapp
+ discard_first_request: true
+ path: /__profile__
+ flush_at_shutdown: true
+ unwind: false
+ filter:cors:
+ paste.filter_factory: oslo_middleware.cors:filter_factory
+ oslo_config_project: barbican
+ filter:http_proxy_to_wsgi:
+ paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
+ policy: {}
+ audit_map:
+ DEFAULT:
+ # default target endpoint type
+ # should match the endpoint type defined in service catalog
+ target_endpoint_type: key-manager
+ custom_actions:
+ # map urls ending with specific text to a unique action
+ # Don't need custom mapping for other resource operations
+ # Note: action should match action names defined in CADF taxonomy
+ acl/get: read
+ path_keywords:
+ # path of api requests for CADF target typeURI
+ # Just need to include top resource path to identify class of resources
+ secrets: null
+ containers: null
+ orders: null
+ cas: "None"
+ quotas: null
+ project-quotas: null
+ service_endpoints:
+ # map endpoint type defined in service catalog to CADF typeURI
+ key-manager: service/security/keymanager
+ barbican_api:
+ uwsgi:
+ socket: null
+ protocol: http
+ processes: 1
+ lazy: true
+ vacuum: true
+ no-default-app: true
+ memory-report: true
+ plugins: python
+ paste: "config:/etc/barbican/barbican-api-paste.ini"
+ add-header: "Connection: close"
+ barbican:
+ DEFAULT:
+ transport_url: null
+ log_config_append: /etc/barbican/logging.conf
+ keystone_authtoken:
+ auth_type: password
+ auth_version: v3
+ memcache_security_strategy: ENCRYPT
+ memcache_secret_key: null
+ database:
+ max_retries: -1
+ barbican_api:
+ # NOTE(portdirect): the bind port should not be defined, and is manipulated
+ # via the endpoints section.
+ bind_port: null
+ oslo_policy:
+ policy_file: /etc/barbican/policy.yaml
+ # When using the simple_crypto_plugin, a kek must be provided as:
+ # .conf.barbican.simple_crypto_plugin.kek
+ # If no kek is provided, barbican will use a well-known default.
+ # If upgrading the chart with a new kek, the old kek must be provided as:
+ # .conf.simple_crypto_plugin_rewrap.old_kek
+ # Please refer to the .conf.simple_crypto_key_rewrap section below.
+ # The barbican defaults are included here as a reference:
+ # secretstore:
+ # enabled_secretstore_plugins:
+ # - store_crypto
+ # crypto:
+ # enabled_crypto_plugins:
+ # - simple_crypto
+ # simple_crypto_plugin:
+ # # The kek should be a 32-byte value which is base64 encoded.
+ # kek: "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
+ # KEK rotation for the simple_crypto plugin
+ simple_crypto_kek_rewrap:
+
+ # To allow for chart upgrades when modifying the Key Encryption Key, the
+ # db-sync job can rewrap the existing project keys with the new kek, leaving
+ # each secret’s encrypted data unchanged.
+
+ # This feature is enabled automatically, if a kek is specified at:
+ # .conf.barbican.simple_crypto_plugin.kek
+ # and the previous kek is also specified at:
+ # .conf.simple_crypto_kek_rewrap.old_kek
+
+ # The project keys are decrypted with 'old_kek' and re-encrypted with the
+ # target kek (as defined in barbican.conf).
+ # This resembles the lightweight rotation described here, which was never
+ # implemented for the simple crypto plugin:
+ # https://specs.openstack.org/openstack/barbican-specs/specs/liberty/add-crypto-mkek-rotation-support-lightweight.html
+
+ # The KEK value "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=" matches the
+ # plugin default, and is retained here for convenience, in case the chart was
+ # previously installed without explicitly specifying a kek.
+ old_kek: "dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg="
+ logging:
+ loggers:
+ keys:
+ - root
+ - barbican
+ handlers:
+ keys:
+ - stdout
+ - stderr
+ - "null"
+ formatters:
+ keys:
+ - context
+ - default
+ logger_root:
+ level: WARNING
+ handlers: 'null'
+ logger_barbican:
+ level: INFO
+ handlers:
+ - stdout
+ qualname: barbican
+ logger_amqp:
+ level: WARNING
+ handlers: stderr
+ qualname: amqp
+ logger_amqplib:
+ level: WARNING
+ handlers: stderr
+ qualname: amqplib
+ logger_eventletwsgi:
+ level: WARNING
+ handlers: stderr
+ qualname: eventlet.wsgi.server
+ logger_sqlalchemy:
+ level: WARNING
+ handlers: stderr
+ qualname: sqlalchemy
+ logger_boto:
+ level: WARNING
+ handlers: stderr
+ qualname: boto
+ handler_null:
+ class: logging.NullHandler
+ formatter: default
+ args: ()
+ handler_stdout:
+ class: StreamHandler
+ args: (sys.stdout,)
+ formatter: context
+ handler_stderr:
+ class: StreamHandler
+ args: (sys.stderr,)
+ formatter: context
+ formatter_context:
+ class: oslo_log.formatters.ContextFormatter
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ formatter_default:
+ format: "%(message)s"
+ datefmt: "%Y-%m-%d %H:%M:%S"
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: barbican-keystone-admin
+ barbican: barbican-keystone-user
+ oslo_db:
+ admin: barbican-db-admin
+ barbican: barbican-db-user
+ oslo_messaging:
+ admin: barbican-rabbitmq-admin
+ barbican: barbican-rabbitmq-user
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ identity:
+ name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ barbican:
+ role: admin
+ region_name: RegionOne
+ username: barbican
+ password: password
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ hosts:
+ default: keystone
+ internal: keystone-api
+ host_fqdn_override:
+ default: null
+ path:
+ default: /v3
+ scheme:
+ default: http
+ port:
+ api:
+ default: 80
+ internal: 5000
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ port:
+ api:
+ default: 9311
+ public: 80
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ secret:
+ tls:
+ internal: mariadb-tls-direct
+ barbican:
+ username: barbican
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /barbican
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ oslo_messaging:
+ auth:
+ admin:
+ username: rabbitmq
+ password: password
+ barbican:
+ username: barbican
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /barbican
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ http:
+ default: 15672
+ oslo_cache:
+ auth:
+ # NOTE(portdirect): this is used to define the value for keystone
+ # authtoken cache encryption key, if not set it will be populated
+ # automatically with a random value, but to take advantage of
+ # this feature all services should be set to use the same key,
+ # and memcache service.
+ memcache_secret_key: null
+ hosts:
+ default: memcached
+ host_fqdn_override:
+ default: null
+ port:
+ memcache:
+ default: 11211
+ fluentd:
+ namespace: null
+ name: fluentd
+ hosts:
+ default: fluentd-logging
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: 'http'
+ port:
+ service:
+ default: 24224
+ metrics:
+ default: 24220
+ # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+ # They are using to enable the Egress K8s network policy.
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns:
+ default: 53
+ protocol: UDP
+ ingress:
+ namespace: null
+ name: ingress
+ hosts:
+ default: ingress
+ port:
+ ingress:
+ default: 80
+
+manifests:
+ certificates: false
+ configmap_bin: true
+ configmap_etc: true
+ deployment_api: true
+ ingress_api: true
+ job_bootstrap: true
+ job_db_init: true
+ job_db_sync: true
+ job_db_drop: false
+ job_image_repo_sync: true
+ job_rabbit_init: true
+ job_ks_endpoints: true
+ job_ks_service: true
+ job_ks_user: true
+ pdb_api: true
+ pod_test: true
+ secret_db: true
+ network_policy: false
+ secret_ingress_tls: true
+ secret_keystone: true
+ secret_rabbitmq: true
+ service_ingress_api: true
+ service_api: true
+...
diff --git a/charts/ceph-provisioners/Chart.yaml b/charts/ceph-provisioners/Chart.yaml
new file mode 100644
index 0000000..057dec8
--- /dev/null
+++ b/charts/ceph-provisioners/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Ceph Provisioner
+home: https://github.com/ceph/ceph
+name: ceph-provisioners
+version: 0.1.8
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/Chart.yaml b/charts/ceph-provisioners/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..f762292
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.17
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/requirements.lock b/charts/ceph-provisioners/charts/helm-toolkit/requirements.lock
new file mode 100644
index 0000000..df843bb
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/requirements.lock
@@ -0,0 +1,3 @@
+dependencies: []
+digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
+generated: "2021-07-27T15:44:21.585311483Z"
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/requirements.yaml b/charts/ceph-provisioners/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..241e8b1
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,160 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ keySize: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ keySize: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+
+ - values: |
+ cert_manager_version: v0.15.0
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ keySize: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1alpha3
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ keySize: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default keySize to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "keySize") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "keySize" -}}
+{{- end -}}
+{{/* Default keySize to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+{{- $cert_manager_version := "v1.0.0" -}}
+{{- if $envAll.Values.cert_manager_version -}}
+{{- $cert_manager_version = $envAll.Values.cert_manager_version -}}
+{{- end -}}
+---
+{{- if semverCompare "< v1.0.0" $cert_manager_version }}
+apiVersion: cert-manager.io/v1alpha3
+{{- else }}
+apiVersion: cert-manager.io/v1
+{{- end }}
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..2d62a17
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,657 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1beta1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: barbican-api
+ servicePort: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: barbican-api
+ servicePort: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: barbican-api
+ servicePort: b-api
+ ---
+ apiVersion: networking.k8s.io/v1beta1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: barbican-api
+ servicePort: b-api
+ ---
+ apiVersion: networking.k8s.io/v1beta1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: barbican-api
+ servicePort: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1beta1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: barbican-api
+ servicePort: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: barbican-api
+ servicePort: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: barbican-api
+ servicePort: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1beta1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: barbican-api
+ servicePort: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: barbican-api
+ servicePort: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: barbican-api
+ servicePort: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1beta1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: barbican-api
+ servicePort: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: barbican-api
+ servicePort: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: barbican-api
+ servicePort: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1beta1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: grafana-dashboard
+ servicePort: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: grafana-dashboard
+ servicePort: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: grafana-dashboard
+ servicePort: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1beta1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: grafana-dashboard
+ servicePort: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: grafana-dashboard
+ servicePort: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1beta1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: grafana-dashboard
+ servicePort: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: grafana-dashboard
+ servicePort: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: {{ $backendName }}
+ servicePort: {{ $backendPort }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..6bd0898
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,131 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..cfd64ff
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,160 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..4463397
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..979211d
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,127 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..6df37b6
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,120 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..ca9f6c3
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,114 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..42f2370
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,120 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: {{ $restartPolicy }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..5574032
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..bea6876
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..36af63f
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,149 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..2e67006
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,109 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..93cea25
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,66 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..7c62bc4
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,397 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The following variables are optional:
+# export RGW_TIMEOUT Number of seconds to wait for the
+# connection to the RGW to be available
+# when sending a backup to the RGW. Default
+# is 1800 (30 minutes).
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+set -x
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=$2
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log ERROR "${DB_NAME}_backup" "Error creating container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 1
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Error retrieving container ${CONTAINER_NAME} details after creation."
+ return 1
+ fi
+ fi
+ else
+ echo $RESULT | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE || log ERROR "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Error retrieving container object $FILE after creation."
+ return 1
+ fi
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ # If the RGW_TIMEOUT has already been set, use that value, otherwise give it
+ # a default value.
+ if [[ -z $RGW_TIMEOUT ]]; then
+ RGW_TIMEOUT=1800
+ fi
+
+ ERROR_SEEN=false
+ DONE=false
+ TIMEOUT_EXP=$(( $(date +%s) + $RGW_TIMEOUT ))
+ while [[ $DONE == "false" ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+
+ # Check if successful
+ if [[ $? -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ DONE=true
+ elif [[ $? -eq 2 ]]; then
+ # Temporary failure occurred. We need to retry if we have not timed out
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ DELTA=$(( TIMEOUT_EXP - $(date +%s) ))
+ if [[ $DELTA -lt 0 ]]; then
+ DONE=true
+ log ERROR "${DB_NAME}_backup" "Timed out waiting for RGW to become available."
+ ERROR_SEEN=true
+ else
+ log INFO "${DB_NAME}_backup" "Sleeping 30 seconds waiting for RGW to become available..."
+ sleep 30
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ fi
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW."
+ ERROR_SEEN=true
+ DONE=true
+ fi
+ done
+
+ if [[ $ERROR_SEEN == "true" ]]; then
+ log ERROR "${DB_NAME}_backup" "Errors encountered. Exiting."
+ return 1
+ fi
+ return 0
+}
+
+remove_old_local_archives() {
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ for ARCHIVE_FILE in $(ls -1 $ARCHIVE_DIR/*.gz); do
+ ARCHIVE_DATE=$( echo $ARCHIVE_FILE | awk -F/ '{print $NF}' | cut -d'.' -f 4)
+ if [[ "$(seconds_difference $ARCHIVE_DATE)" -gt "$(($LOCAL_DAYS_TO_KEEP*86400))" ]]; then
+ log INFO "${DB_NAME}_backup" "Deleting file $ARCHIVE_FILE."
+ rm -rf $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Cannot remove ${ARCHIVE_FILE}"
+ fi
+ else
+ log INFO "${DB_NAME}_backup" "Keeping file ${ARCHIVE_FILE}."
+ fi
+ done
+ fi
+}
+
+remove_old_remote_archives() {
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days"
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit "Could not obtain a list of current backup files in the RGW" 1
+ fi
+
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+
+ for ARCHIVE_FILE in $(cat $DB_BACKUP_FILES); do
+ ARCHIVE_DATE=$( echo $ARCHIVE_FILE | awk -F/ '{print $NF}' | cut -d'.' -f 4)
+ if [[ "$(seconds_difference ${ARCHIVE_DATE})" -gt "$((${REMOTE_DAYS_TO_KEEP}*86400))" ]]; then
+ log INFO "${DB_NAME}_backup" "Deleting file ${ARCHIVE_FILE} from the RGW"
+ openstack object delete $CONTAINER_NAME $ARCHIVE_FILE || log_backup_error_exit "Cannot delete container object ${ARCHIVE_FILE}!" 1
+ fi
+ done
+
+ # Cleanup now that we're done.
+ rm -f $BACKUP_FILES $DB_BACKUP_FILES
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit "Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit "Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit "Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit "Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit "Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ remove_old_local_archives
+ fi
+
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ set +x
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ set -x
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ remove_old_remote_archives
+ fi
+
+ # Turn off trace just for a clearer printout of backup status - for manual backups, mainly.
+ set +x
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ set -x
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ # Turn off trace just for a clearer printout of backup status - for manual backups, mainly.
+ set +x
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ set -x
+ fi
+}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..c2de3aa
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f 8
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..0324e68
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..baa7073
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,66 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..a8f1c49
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_template.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ceph-provisioners/charts/helm-toolkit/values.yaml b/charts/ceph-provisioners/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/ceph-provisioners/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/ceph-provisioners/requirements.lock b/charts/ceph-provisioners/requirements.lock
new file mode 100644
index 0000000..3b09b9a
--- /dev/null
+++ b/charts/ceph-provisioners/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: https://tarballs.opendev.org/openstack/openstack-helm-infra
+ version: '>= 0.1.0'
+digest: sha256:9a14200f65f9e9d7f811f6b763242eea2a0ff5f36199412abc2c58f273b95899
+generated: "2021-07-28T15:09:21.187908283Z"
diff --git a/charts/ceph-provisioners/requirements.yaml b/charts/ceph-provisioners/requirements.yaml
new file mode 100644
index 0000000..4333ba9
--- /dev/null
+++ b/charts/ceph-provisioners/requirements.yaml
@@ -0,0 +1,18 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies:
+ - name: helm-toolkit
+ repository: https://tarballs.opendev.org/openstack/openstack-helm-infra
+ version: ">= 0.1.0"
+...
diff --git a/charts/ceph-provisioners/templates/bin/_bootstrap.sh.tpl b/charts/ceph-provisioners/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..6452d0a
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/ceph-provisioners/templates/bin/_helm-tests.sh.tpl b/charts/ceph-provisioners/templates/bin/_helm-tests.sh.tpl
new file mode 100644
index 0000000..b22916d
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/_helm-tests.sh.tpl
@@ -0,0 +1,205 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+function reset_test_env()
+{
+ pvc_namespace=$1
+ pod_name=$2
+ pvc_name=$3
+ echo "--> Resetting POD and PVC before/after test"
+ if kubectl get pod -n $pvc_namespace $pod_name; then
+ kubectl delete pod -n $pvc_namespace $pod_name
+ fi
+
+ if kubectl get cm -n $pvc_namespace ${pod_name}-bin; then
+ kubectl delete cm -n $pvc_namespace ${pod_name}-bin
+ fi
+
+ if kubectl get pvc -n $pvc_namespace $pvc_name; then
+ kubectl delete pvc -n $pvc_namespace $pvc_name;
+ fi
+}
+
+
+function storageclass_validation()
+{
+ pvc_namespace=$1
+ pod_name=$2
+ pvc_name=$3
+ storageclass=$4
+
+ echo "--> Starting validation"
+
+ # storageclass check
+ if ! kubectl get storageclass $storageclass; then
+ echo "Storageclass: $storageclass is not provisioned."
+ exit 1
+ fi
+
+ tee <<EOF | kubectl apply -n $pvc_namespace -f -
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: $pvc_name
+spec:
+ accessModes:
+ - ReadWriteOnce
+ storageClassName: $storageclass
+ resources:
+ requests:
+ storage: 3Gi
+EOF
+
+ # waiting for pvc to get create
+ end=$(($(date +%s) + TEST_POD_WAIT_TIMEOUT))
+ while ! kubectl get pvc -n $pvc_namespace $pvc_name | grep Bound; do
+ if [ "$(date +%s)" -gt "${end}" ]; then
+ kubectl get pvc -n $pvc_namespace $pvc_name
+ kubectl get pv
+ echo "Storageclass is available but can't create PersistentVolumeClaim."
+ exit 1
+ fi
+ sleep 10
+ done
+
+ tee <<EOF | kubectl apply --namespace $pvc_namespace -f -
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: ${pod_name}-bin
+data:
+ test.sh: |
+ #!/bin/bash
+
+ tmpdir=\$(mktemp -d)
+ declare -a files_list
+ total_files=10
+
+ function check_result ()
+ {
+ red='\033[0;31m'
+ green='\033[0;32m'
+ bw='\033[0m'
+ if [ "\$1" -ne 0 ]; then
+ echo -e "\${red}\$2\${bw}"
+ exit 1
+ else
+ echo -e "\${green}\$3\${bw}"
+ fi
+ }
+
+ echo "Preparing \${total_objects} files for test"
+ for i in \$(seq \$total_files); do
+ files_list[\$i]="\$(mktemp -p "$tmpdir" -t XXXXXXXX)"
+ echo "Creating \${files_list[\$i]} file"
+ dd if=/dev/urandom of="\${files_list[\$i]}" bs=1M count=8
+
+ echo "Writing to /mnt/\${files_list[\$i]##*/}"
+ cp "\${files_list[\$i]}" "/mnt/\${files_list[\$i]##*/}"
+ check_result \$? "The action failed" "The action succeeded"
+ done
+
+ for i in \$(seq \$total_files); do
+ echo "Comparing files: \${files_list[\$i]} and /mnt/\${files_list[\$i]##*/}"
+ cmp "\${files_list[\$i]}" "/mnt/\${files_list[\$i]##*/}"
+ check_result \$? "The files are not equal" "The files are equal"
+ done
+
+ touch /mnt/SUCCESS && exit 0 || exit 1
+
+---
+kind: Pod
+apiVersion: v1
+metadata:
+ name: $pod_name
+spec:
+ nodeSelector:
+ {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+ containers:
+ - name: task-pv-storage
+ image: {{ .Values.images.tags.ceph_config_helper }}
+ command:
+ - /tmp/test.sh
+ volumeMounts:
+ - name: ceph-cm-test
+ mountPath: /tmp/test.sh
+ subPath: test.sh
+ readOnly: true
+ - name: pvc
+ mountPath: "/mnt"
+ readOnly: false
+ restartPolicy: "Never"
+ volumes:
+ - name: ceph-cm-test
+ configMap:
+ name: ${pod_name}-bin
+ defaultMode: 0555
+ - name: pvc
+ persistentVolumeClaim:
+ claimName: $pvc_name
+...
+EOF
+
+ # waiting for pod to get completed
+ end=$(($(date +%s) + TEST_POD_WAIT_TIMEOUT))
+ while ! kubectl get pods -n $pvc_namespace $pod_name | grep -i Completed; do
+ if [ "$(date +%s)" -gt "${end}" ]; then
+ kubectl get pods -n $pvc_namespace $pod_name
+ kubectl logs -n $pvc_namespace $pod_name
+ echo "Cannot create POD with rbd storage class $storageclass based PersistentVolumeClaim."
+ exit 1
+ fi
+ sleep 10
+ done
+
+ kubectl logs -n $pvc_namespace $pod_name
+}
+
+
+reset_test_env $PVC_NAMESPACE $RBD_TEST_POD_NAME $RBD_TEST_PVC_NAME
+reset_test_env $PVC_NAMESPACE $CSI_RBD_TEST_POD_NAME $CSI_RBD_TEST_PVC_NAME
+reset_test_env $PVC_NAMESPACE $CEPHFS_TEST_POD_NAME $CEPHFS_TEST_PVC_NAME
+
+{{- range $storageclass, $val := .Values.storageclass }}
+if [ {{ $val.provisioner }} == "ceph.com/rbd" ] && [ {{ $val.provision_storage_class }} == true ];
+then
+ echo "--> Checking RBD storage class."
+ storageclass={{ $val.metadata.name }}
+
+ storageclass_validation $PVC_NAMESPACE $RBD_TEST_POD_NAME $RBD_TEST_PVC_NAME $storageclass
+ reset_test_env $PVC_NAMESPACE $RBD_TEST_POD_NAME $RBD_TEST_PVC_NAME
+fi
+
+if [ {{ $val.provisioner }} == "ceph.rbd.csi.ceph.com" ] && [ {{ $val.provision_storage_class }} == true ];
+then
+ echo "--> Checking CSI RBD storage class."
+ storageclass={{ $val.metadata.name }}
+ storageclass_validation $PVC_NAMESPACE $CSI_RBD_TEST_POD_NAME $CSI_RBD_TEST_PVC_NAME $storageclass
+ reset_test_env $PVC_NAMESPACE $CSI_RBD_TEST_POD_NAME $CSI_RBD_TEST_PVC_NAME
+fi
+
+if [ {{ $val.provisioner }} == "ceph.com/cephfs" ] && [ {{ $val.provision_storage_class }} == true ];
+then
+ echo "--> Checking cephfs storage class."
+ storageclass={{ $val.metadata.name }}
+ storageclass_validation $PVC_NAMESPACE $CEPHFS_TEST_POD_NAME $CEPHFS_TEST_PVC_NAME $storageclass
+ reset_test_env $PVC_NAMESPACE $CEPHFS_TEST_POD_NAME $CEPHFS_TEST_PVC_NAME
+fi
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/bin/provisioner/cephfs/_client-key-manager.sh.tpl b/charts/ceph-provisioners/templates/bin/provisioner/cephfs/_client-key-manager.sh.tpl
new file mode 100644
index 0000000..421e6f6
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/provisioner/cephfs/_client-key-manager.sh.tpl
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{- $envAll := . }}
+
+CEPH_CEPHFS_KEY=$(kubectl get secret ${PVC_CEPH_CEPHFS_STORAGECLASS_ADMIN_SECRET_NAME} \
+ --namespace=${PVC_CEPH_CEPHFS_STORAGECLASS_DEPLOYED_NAMESPACE} \
+ -o json )
+
+ceph_activate_namespace() {
+ kube_namespace=$1
+ secret_type=$2
+ secret_name=$3
+ ceph_key=$4
+ {
+ cat <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+ name: "${secret_name}"
+ labels:
+{{ tuple $envAll "ceph" "cephfs" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+type: "${secret_type}"
+data:
+ key: $( echo ${ceph_key} )
+EOF
+ } | kubectl apply --namespace ${kube_namespace} -f -
+}
+
+if ! kubectl get --namespace ${DEPLOYMENT_NAMESPACE} secrets ${PVC_CEPH_CEPHFS_STORAGECLASS_USER_SECRET_NAME}; then
+ ceph_activate_namespace \
+ ${DEPLOYMENT_NAMESPACE} \
+ "kubernetes.io/cephfs" \
+ ${PVC_CEPH_CEPHFS_STORAGECLASS_USER_SECRET_NAME} \
+ "$(echo ${CEPH_CEPHFS_KEY} | jq -r '.data.key')"
+fi
diff --git a/charts/ceph-provisioners/templates/bin/provisioner/cephfs/_start.sh.tpl b/charts/ceph-provisioners/templates/bin/provisioner/cephfs/_start.sh.tpl
new file mode 100644
index 0000000..9691aa9
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/provisioner/cephfs/_start.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec /usr/local/bin/cephfs-provisioner -id "${POD_NAME}"
diff --git a/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-ceph-config-manager.sh.tpl b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-ceph-config-manager.sh.tpl
new file mode 100644
index 0000000..5051a3f
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-ceph-config-manager.sh.tpl
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{- $envAll := . }}
+
+
+ENDPOINT=$(kubectl get endpoints ceph-mon-discovery -n ${PVC_CEPH_RBD_STORAGECLASS_DEPLOYED_NAMESPACE} -o json | awk -F'"' -v port=${MON_PORT} \
+ -v version=v1 -v msgr_version=v2 \
+ -v msgr2_port=${MON_PORT_V2} \
+ '/"ip"/{print "["version":"$4":"port"/"0","msgr_version":"$4":"msgr2_port"/"0"]"}' | paste -sd',')
+
+echo $ENDPOINT
+
+kubectl get cm ${CEPH_CONF_ETC} -n ${DEPLOYMENT_NAMESPACE} -o yaml | \
+ sed "s#mon_host.*#mon_host = ${ENDPOINT}#g" | \
+ kubectl apply -f -
+
+kubectl get cm ${CEPH_CONF_ETC} -n ${DEPLOYMENT_NAMESPACE} -o yaml
diff --git a/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-key-cleaner.sh.tpl b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-key-cleaner.sh.tpl
new file mode 100644
index 0000000..5f482a2
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-key-cleaner.sh.tpl
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+kubectl delete secret \
+ --namespace ${DEPLOYMENT_NAMESPACE} \
+ --ignore-not-found=true \
+ ${PVC_CEPH_RBD_STORAGECLASS_USER_SECRET_NAME}
diff --git a/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-key-manager.sh.tpl b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-key-manager.sh.tpl
new file mode 100644
index 0000000..e6a8abe
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_namespace-client-key-manager.sh.tpl
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{- $envAll := . }}
+
+CEPH_RBD_KEY=$(kubectl get secret ${PVC_CEPH_RBD_STORAGECLASS_ADMIN_SECRET_NAME} \
+ --namespace=${PVC_CEPH_RBD_STORAGECLASS_DEPLOYED_NAMESPACE} \
+ -o json )
+
+ceph_activate_namespace() {
+ kube_namespace=$1
+ secret_type=$2
+ secret_name=$3
+ ceph_key=$4
+ {
+ cat <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+ name: "${secret_name}"
+ labels:
+{{ tuple $envAll "ceph" "rbd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+type: "${secret_type}"
+data:
+ key: $( echo ${ceph_key} )
+EOF
+ } | kubectl apply --namespace ${kube_namespace} -f -
+}
+
+ceph_activate_namespace ${DEPLOYMENT_NAMESPACE} "kubernetes.io/rbd" ${PVC_CEPH_RBD_STORAGECLASS_USER_SECRET_NAME} "$(echo ${CEPH_RBD_KEY} | jq -r '.data.key')"
diff --git a/charts/ceph-provisioners/templates/bin/provisioner/rbd/_start.sh.tpl b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_start.sh.tpl
new file mode 100644
index 0000000..aadbecd
--- /dev/null
+++ b/charts/ceph-provisioners/templates/bin/provisioner/rbd/_start.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec /usr/local/bin/rbd-provisioner -id "${POD_NAME}"
diff --git a/charts/ceph-provisioners/templates/configmap-bin-provisioner.yaml b/charts/ceph-provisioners/templates/configmap-bin-provisioner.yaml
new file mode 100644
index 0000000..b78f393
--- /dev/null
+++ b/charts/ceph-provisioners/templates/configmap-bin-provisioner.yaml
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.configmap_bin .Values.deployment.client_secrets }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin-clients" | quote }}
+data:
+ provisioner-rbd-namespace-client-ceph-config-manager.sh: |
+{{ tuple "bin/provisioner/rbd/_namespace-client-ceph-config-manager.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ provisioner-rbd-namespace-client-key-manager.sh: |
+{{ tuple "bin/provisioner/rbd/_namespace-client-key-manager.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ provisioner-rbd-namespace-client-key-cleaner.sh: |
+{{ tuple "bin/provisioner/rbd/_namespace-client-key-cleaner.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ helm-tests.sh: |
+{{ tuple "bin/_helm-tests.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/configmap-bin.yaml b/charts/ceph-provisioners/templates/configmap-bin.yaml
new file mode 100644
index 0000000..46adf15
--- /dev/null
+++ b/charts/ceph-provisioners/templates/configmap-bin.yaml
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.configmap_bin_common .Values.deployment.ceph }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin" | quote }}
+data:
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+
+{{- if .Values.bootstrap.enabled }}
+ bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+
+ provisioner-cephfs-start.sh: |
+{{ tuple "bin/provisioner/cephfs/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ provisioner-cephfs-client-key-manager.sh: |
+{{ tuple "bin/provisioner/cephfs/_client-key-manager.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+
+ provisioner-rbd-start.sh: |
+{{ tuple "bin/provisioner/rbd/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/configmap-etc-client.yaml b/charts/ceph-provisioners/templates/configmap-etc-client.yaml
new file mode 100644
index 0000000..8db63dc
--- /dev/null
+++ b/charts/ceph-provisioners/templates/configmap-etc-client.yaml
@@ -0,0 +1,54 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "ceph.configmap.etc" }}
+{{- $configMapName := index . 0 }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+
+{{- if or (.Values.deployment.ceph) (.Values.deployment.client_secrets) }}
+
+{{- if empty .Values.conf.ceph.global.mon_host -}}
+{{- $monHost := tuple "ceph_mon" "internal" "mon_msgr2" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+{{- $_ := $monHost | set .Values.conf.ceph.global "mon_host" -}}
+{{- end -}}
+
+
+{{- if empty .Values.conf.ceph.osd.cluster_network -}}
+{{- $_ := .Values.network.cluster | set .Values.conf.ceph.osd "cluster_network" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.ceph.osd.public_network -}}
+{{- $_ := .Values.network.public | set .Values.conf.ceph.osd "public_network" -}}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $configMapName }}
+data:
+ ceph.conf: |
+{{ include "helm-toolkit.utils.to_ini" .Values.conf.ceph | indent 4 }}
+
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if .Values.manifests.configmap_etc }}
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+{{- list .Values.storageclass.csi_rbd.ceph_configmap_name . | include "ceph.configmap.etc" }}
+{{- else }}
+{{- list .Values.storageclass.rbd.ceph_configmap_name . | include "ceph.configmap.etc" }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/configmap-etc-csi.yaml b/charts/ceph-provisioners/templates/configmap-etc-csi.yaml
new file mode 100644
index 0000000..8ecc362
--- /dev/null
+++ b/charts/ceph-provisioners/templates/configmap-etc-csi.yaml
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "ceph.configmap.etc.csi" }}
+{{- $configMapName := index . 0 }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+
+{{- if and (.Values.deployment.ceph) (.Values.deployment.csi_rbd_provisioner) }}
+
+{{- if empty .Values.conf.ceph.global.mon_host -}}
+{{- $monHost := tuple "ceph_mon" "internal" "mon" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+{{- $_ := $monHost | set .Values.conf.ceph.global "mon_host" -}}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: ConfigMap
+data:
+ config.json: |-
+ [
+ {
+ "clusterID": {{ .Release.Namespace | quote }},
+ "monitors": [
+ {{ .Values.conf.ceph.global.mon_host | quote }}
+ ]
+ }
+ ]
+metadata:
+ name: ceph-csi-config
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- list .Values.storageclass.csi_rbd.ceph_configmap_name . | include "ceph.configmap.etc.csi" }}
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/daemonset-csi-rbd-plugin.yaml b/charts/ceph-provisioners/templates/daemonset-csi-rbd-plugin.yaml
new file mode 100644
index 0000000..8933f34
--- /dev/null
+++ b/charts/ceph-provisioners/templates/daemonset-csi-rbd-plugin.yaml
@@ -0,0 +1,181 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.deployment_csi_rbd_provisioner .Values.deployment.csi_rbd_provisioner }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := printf "%s-%s" .Release.Name "ceph-rbd-csi-nodeplugin" }}
+{{ tuple $envAll "rbd_provisioner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: {{ $serviceAccountName }}
+ apiGroup: rbac.authorization.k8s.io
+---
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+ name: ceph-rbd-plugin
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "rbd" "plugin" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll "rbd" "plugin" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "plugin" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "rbd" "plugin" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rbd-plugin" "containerNames" (list "driver-registrar" "csi-rbdplugin" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "plugin" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ nodeSelector:
+ {{ .Values.labels.csi_rbd_plugin.node_selector_key }}: {{ .Values.labels.csi_rbd_plugin.node_selector_value }}
+ hostNetwork: true
+ hostPID: true
+ dnsPolicy: {{ .Values.pod.dns_policy }}
+ initContainers:
+{{ tuple $envAll "rbd_plugin" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: driver-registrar
+{{ tuple $envAll "csi_registrar" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.rbd_registrar | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "plugin" "container" "ceph_rbd_registrar" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ args:
+ - "--v=0"
+ - "--csi-address=/csi/csi.sock"
+ - "--kubelet-registration-path=/var/lib/kubelet/plugins/$(DEPLOYMENT_NAMESPACE).rbd.csi.ceph.com/csi.sock"
+ env:
+ - name: DEPLOYMENT_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: KUBE_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ volumeMounts:
+ - name: socket-dir
+ mountPath: /csi
+ - name: registration-dir
+ mountPath: /registration
+ - name: csi-rbdplugin
+{{ tuple $envAll "cephcsi" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.rbd_cephcsi | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "plugin" "container" "ceph_csi_rbd_plugin" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ args:
+ - "--nodeid=$(NODE_ID)"
+ - "--type=rbd"
+ - "--nodeserver=true"
+ - "--endpoint=$(CSI_ENDPOINT)"
+ - "--v=0"
+ - "--drivername=$(DEPLOYMENT_NAMESPACE).rbd.csi.ceph.com"
+ - "--pidlimit=-1"
+ env:
+ - name: DEPLOYMENT_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: NODE_ID
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: CSI_ENDPOINT
+ value: unix:///csi/csi.sock
+ volumeMounts:
+ - name: socket-dir
+ mountPath: /csi
+ - mountPath: /dev
+ name: host-dev
+ - mountPath: /sys
+ name: host-sys
+ - mountPath: /run/mount
+ name: host-mount
+ - mountPath: /lib/modules
+ name: lib-modules
+ readOnly: true
+ - name: ceph-csi-config
+ mountPath: /etc/ceph-csi-config/
+ - name: plugin-dir
+ mountPath: /var/lib/kubelet/plugins
+ mountPropagation: "Bidirectional"
+ - name: mountpoint-dir
+ mountPath: /var/lib/kubelet/pods
+ mountPropagation: "Bidirectional"
+ - name: keys-tmp-dir
+ mountPath: /tmp/csi/keys
+ volumes:
+ - name: socket-dir
+ hostPath:
+ path: /var/lib/kubelet/plugins/ceph.rbd.csi.ceph.com
+ type: DirectoryOrCreate
+ - name: plugin-dir
+ hostPath:
+ path: /var/lib/kubelet/plugins
+ type: Directory
+ - name: mountpoint-dir
+ hostPath:
+ path: /var/lib/kubelet/pods
+ type: DirectoryOrCreate
+ - name: registration-dir
+ hostPath:
+ path: /var/lib/kubelet/plugins_registry/
+ type: Directory
+ - name: host-dev
+ hostPath:
+ path: /dev
+ - name: host-sys
+ hostPath:
+ path: /sys
+ - name: host-mount
+ hostPath:
+ path: /run/mount
+ - name: lib-modules
+ hostPath:
+ path: /lib/modules
+ - name: ceph-csi-config
+ configMap:
+ name: ceph-csi-config
+ - name: keys-tmp-dir
+ emptyDir: {
+ medium: "Memory"
+ }
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml b/charts/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml
new file mode 100644
index 0000000..e96387a
--- /dev/null
+++ b/charts/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml
@@ -0,0 +1,201 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.deployment_cephfs_provisioner .Values.deployment.cephfs_provisioner }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := printf "%s-%s" .Release.Name "ceph-cephfs-provisioner" }}
+{{ tuple $envAll "cephfs_provisioner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - delete
+ - apiGroups:
+ - ''
+ resources:
+ - persistentvolumes
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - delete
+ - apiGroups:
+ - ''
+ resources:
+ - persistentvolumeclaims
+ verbs:
+ - get
+ - list
+ - watch
+ - update
+ - apiGroups:
+ - storage.k8s.io
+ resources:
+ - storageclasses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - apiGroups:
+ - ''
+ resources:
+ - services
+ - endpoints
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - apiGroups:
+ - extensions
+ resources:
+ - podsecuritypolicies
+ resourceNames:
+ - cephfs-provisioner
+ verbs:
+ - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ $serviceAccountName }}-run-cephfs-provisioner
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: {{ $serviceAccountName }}
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+ name: ceph-cephfs-provisioner
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.cephfs_provisioner }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-cephfs-provisioner" "containerNames" (list "ceph-cephfs-provisioner" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ tuple $envAll "cephfs_provisioner" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+ nodeSelector:
+ {{ .Values.labels.provisioner.node_selector_key }}: {{ .Values.labels.provisioner.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "cephfs_provisioner" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ceph-cephfs-provisioner
+{{ tuple $envAll "ceph_cephfs_provisioner" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.cephfs_provisioner | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_cephfs_provisioner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: PROVISIONER_NAME
+ value: {{ .Values.storageclass.cephfs.provisioner }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ command:
+ - /tmp/provisioner-cephfs-start.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-run
+ mountPath: /run
+ - name: pod-etc-ceph
+ mountPath: /etc/ceph
+ - name: ceph-provisioners-bin
+ mountPath: /tmp/provisioner-cephfs-start.sh
+ subPath: provisioner-cephfs-start.sh
+ readOnly: true
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-run
+ emptyDir:
+ medium: "Memory"
+ - name: pod-etc-ceph
+ emptyDir: {}
+ - name: ceph-provisioners-bin
+ configMap:
+ name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin" | quote }}
+ defaultMode: 0555
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/deployment-csi-rbd-provisioner.yaml b/charts/ceph-provisioners/templates/deployment-csi-rbd-provisioner.yaml
new file mode 100644
index 0000000..fb3bc22
--- /dev/null
+++ b/charts/ceph-provisioners/templates/deployment-csi-rbd-provisioner.yaml
@@ -0,0 +1,283 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.deployment_csi_rbd_provisioner .Values.deployment.csi_rbd_provisioner }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := printf "%s-%s" .Release.Name "ceph-rbd-csi-provisioner" }}
+{{ tuple $envAll "rbd_provisioner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: [""]
+ resources: ["persistentvolumes"]
+ verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
+ - apiGroups: [""]
+ resources: ["persistentvolumeclaims"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: [""]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshots"]
+ verbs: ["get", "list"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["create", "get", "list", "watch", "update", "delete"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshotclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["volumeattachments"]
+ verbs: ["get", "list", "watch", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshotcontents/status"]
+ verbs: ["update"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ $serviceAccountName }}-run-rbd-provisioner
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: {{ $serviceAccountName }}
+ apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ namespace: {{ $envAll.Release.Namespace }}
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "list", "watch", "create", "delete"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "watch", "list", "delete", "update", "create"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+ kind: Role
+ name: {{ $serviceAccountName }}
+ apiGroup: rbac.authorization.k8s.io
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+ name: ceph-rbd-csi-provisioner
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.csi_rbd_provisioner }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rbd-csi-provisioner" "containerNames" (list "ceph-rbd-provisioner" "ceph-rbd-snapshotter" "ceph-rbd-attacher" "csi-resizer" "csi-rbdplugin" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ tuple $envAll "csi_rbd_provisioner" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+ nodeSelector:
+ {{ .Values.labels.provisioner.node_selector_key }}: {{ .Values.labels.provisioner.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "rbd_provisioner" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ceph-rbd-provisioner
+{{ tuple $envAll "csi_provisioner" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.csi_rbd_provisioner | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_rbd_provisioner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: DEPLOYMENT_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: ADDRESS
+ value: unix:///csi/csi-provisioner.sock
+
+ args:
+ - "--csi-address=$(ADDRESS)"
+ - "--v=0"
+ - "--timeout=150s"
+ - "--retry-interval-start=500ms"
+ - "--enable-leader-election=true"
+ - "--leader-election-type=leases"
+ - "--leader-election-namespace=$(DEPLOYMENT_NAMESPACE)"
+ volumeMounts:
+ - name: socket-dir
+ mountPath: /csi
+ - name: ceph-rbd-snapshotter
+{{ tuple $envAll "csi_snapshotter" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.rbd_snapshotter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_rbd_snapshotter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ args:
+ - "--csi-address=$(ADDRESS)"
+ - "--v=0"
+ - "--timeout=150s"
+ - "--leader-election=true"
+ - "--leader-election-namespace=$(DEPLOYMENT_NAMESPACE)"
+ env:
+ - name: DEPLOYMENT_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: ADDRESS
+ value: unix:///csi/csi-provisioner.sock
+ volumeMounts:
+ - name: socket-dir
+ mountPath: /csi
+ - name: ceph-rbd-attacher
+{{ tuple $envAll "csi_attacher" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.rbd_attacher | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_rbd_attacher" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ args:
+ - "--v=0"
+ - "--csi-address=$(ADDRESS)"
+ - "--leader-election=true"
+ - "--retry-interval-start=500ms"
+ - "--leader-election-namespace=$(DEPLOYMENT_NAMESPACE)"
+ env:
+ - name: DEPLOYMENT_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: ADDRESS
+ value: /csi/csi-provisioner.sock
+ volumeMounts:
+ - name: socket-dir
+ mountPath: /csi
+ - name: csi-resizer
+{{ tuple $envAll "csi_resizer" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.rbd_resizer | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_rbd_resizer" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ args:
+ - "--csi-address=$(ADDRESS)"
+ - "--v=0"
+ - "--csiTimeout=150s"
+ - "--leader-election"
+ - "--leader-election-namespace=$(DEPLOYMENT_NAMESPACE)"
+ env:
+ - name: DEPLOYMENT_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: ADDRESS
+ value: unix:///csi/csi-provisioner.sock
+ volumeMounts:
+ - name: socket-dir
+ mountPath: /csi
+ - name: csi-rbdplugin
+{{ tuple $envAll "cephcsi" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.rbd_cephcsi | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_rbd_cephcsi" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ args:
+ - "--nodeid=$(NODE_ID)"
+ - "--type=rbd"
+ - "--controllerserver=true"
+ - "--endpoint=$(CSI_ENDPOINT)"
+ - "--v=0"
+ - "--drivername=$(DEPLOYMENT_NAMESPACE).rbd.csi.ceph.com"
+ - "--pidlimit=-1"
+ env:
+ - name: DEPLOYMENT_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: NODE_ID
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: CSI_ENDPOINT
+ value: unix:///csi/csi-provisioner.sock
+ volumeMounts:
+ - name: socket-dir
+ mountPath: /csi
+ - mountPath: /dev
+ name: host-dev
+ - mountPath: /sys
+ name: host-sys
+ - mountPath: /lib/modules
+ name: lib-modules
+ readOnly: true
+ - name: ceph-csi-config
+ mountPath: /etc/ceph-csi-config/
+ - name: keys-tmp-dir
+ mountPath: /tmp/csi/keys
+ volumes:
+ - name: host-dev
+ hostPath:
+ path: /dev
+ - name: host-sys
+ hostPath:
+ path: /sys
+ - name: lib-modules
+ hostPath:
+ path: /lib/modules
+ - name: socket-dir
+ emptyDir: {
+ medium: "Memory"
+ }
+ - name: ceph-csi-config
+ configMap:
+ name: ceph-csi-config
+ - name: keys-tmp-dir
+ emptyDir: {
+ medium: "Memory"
+ }
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/deployment-rbd-provisioner.yaml b/charts/ceph-provisioners/templates/deployment-rbd-provisioner.yaml
new file mode 100644
index 0000000..4e2b34f
--- /dev/null
+++ b/charts/ceph-provisioners/templates/deployment-rbd-provisioner.yaml
@@ -0,0 +1,191 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.deployment_rbd_provisioner .Values.deployment.rbd_provisioner }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := printf "%s-%s" .Release.Name "ceph-rbd-provisioner" }}
+{{ tuple $envAll "rbd_provisioner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - persistentvolumes
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - delete
+ - apiGroups:
+ - ''
+ resources:
+ - persistentvolumeclaims
+ verbs:
+ - get
+ - list
+ - watch
+ - update
+ - apiGroups:
+ - storage.k8s.io
+ resources:
+ - storageclasses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - apiGroups:
+ - ''
+ resources:
+ - services
+ - endpoints
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - apiGroups:
+ - extensions
+ resources:
+ - podsecuritypolicies
+ resourceNames:
+ - rbd-provisioner
+ verbs:
+ - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ $serviceAccountName }}-run-rbd-provisioner
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: {{ $serviceAccountName }}
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+ name: ceph-rbd-provisioner
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.rbd_provisioner }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rbd-provisioner" "containerNames" (list "ceph-rbd-provisioner" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ tuple $envAll "rbd_provisioner" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+ nodeSelector:
+ {{ .Values.labels.provisioner.node_selector_key }}: {{ .Values.labels.provisioner.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "rbd_provisioner" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ceph-rbd-provisioner
+{{ tuple $envAll "ceph_rbd_provisioner" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.rbd_provisioner | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_rbd_provisioner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: PROVISIONER_NAME
+ value: {{ .Values.storageclass.rbd.provisioner }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ command:
+ - /tmp/provisioner-rbd-start.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-run
+ mountPath: /run
+ - name: pod-etc-ceph
+ mountPath: /etc/ceph
+ - name: ceph-provisioners-bin
+ mountPath: /tmp/provisioner-rbd-start.sh
+ subPath: provisioner-rbd-start.sh
+ readOnly: true
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-run
+ emptyDir:
+ medium: "Memory"
+ - name: pod-etc-ceph
+ emptyDir: {}
+ - name: ceph-provisioners-bin
+ configMap:
+ name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin" | quote }}
+ defaultMode: 0555
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/job-bootstrap.yaml b/charts/ceph-provisioners/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..d397108
--- /dev/null
+++ b/charts/ceph-provisioners/templates/job-bootstrap.yaml
@@ -0,0 +1,84 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "ceph-client-bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: ceph-client-bootstrap
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "ceph" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "bootstrap" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ceph-client-bootstrap
+{{ tuple $envAll "ceph_bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "bootstrap" "container" "ceph_client_bootstrap" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-etc-ceph
+ mountPath: /etc/ceph
+ - name: ceph-provisioners-bin
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ - name: ceph-client-admin-keyring
+ mountPath: /etc/ceph/ceph.client.admin.keyring
+ subPath: ceph.client.admin.keyring
+ readOnly: true
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-ceph
+ emptyDir: {}
+ - name: ceph-provisioners-bin
+ configMap:
+ name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin" | quote }}
+ defaultMode: 0555
+ - name: ceph-etc
+ configMap:
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+ name: {{ .Values.storageclass.csi_rbd.ceph_configmap_name }}
+{{- else }}
+ name: {{ .Values.storageclass.rbd.ceph_configmap_name }}
+{{- end }}
+ defaultMode: 0444
+ - name: ceph-client-admin-keyring
+ secret:
+ secretName: {{ .Values.secrets.keyrings.admin }}
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/job-cephfs-client-key.yaml b/charts/ceph-provisioners/templates/job-cephfs-client-key.yaml
new file mode 100644
index 0000000..38b43d3
--- /dev/null
+++ b/charts/ceph-provisioners/templates/job-cephfs-client-key.yaml
@@ -0,0 +1,136 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_cephfs_client_key .Values.deployment.cephfs_provisioner }}
+{{- $envAll := . }}
+
+{{- $randStringSuffix := randAlphaNum 5 | lower }}
+
+{{- $serviceAccountName := "ceph-cephfs-client-key-generator" }}
+{{ tuple $envAll "cephfs_client_key_generator" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - create
+ - update
+ - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+ namespace: {{ .Values.storageclass.cephfs.parameters.adminSecretNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+ namespace: {{ .Values.storageclass.cephfs.parameters.adminSecretNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: ceph-cephfs-client-key-generator
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "ceph" "cephfs-client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ dict "envAll" $envAll "podName" "ceph-cephfs-client-key-generator" "containerNames" (list "ceph-storage-keys-generator" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "cephfs_client_key_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ $envAll.Values.labels.job.node_selector_key }}: {{ $envAll.Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "cephfs_client_key_generator" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ceph-storage-keys-generator
+{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.secret_provisioning | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cephfs_client_key_generator" "container" "ceph_storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: DEPLOYMENT_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: PVC_CEPH_CEPHFS_STORAGECLASS_USER_SECRET_NAME
+ value: {{ .Values.storageclass.cephfs.parameters.adminSecretName }}
+ - name: PVC_CEPH_CEPHFS_STORAGECLASS_ADMIN_SECRET_NAME
+ value: {{ .Values.secrets.keyrings.prov_adminSecretName }}
+ - name: PVC_CEPH_CEPHFS_STORAGECLASS_DEPLOYED_NAMESPACE
+ value: {{ .Values.storageclass.cephfs.parameters.adminSecretNamespace }}
+ command:
+ - /tmp/provisioner-cephfs-client-key-manager.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-etc-ceph
+ mountPath: /etc/ceph
+ - name: ceph-provisioners-bin
+ mountPath: /tmp/provisioner-cephfs-client-key-manager.sh
+ subPath: provisioner-cephfs-client-key-manager.sh
+ readOnly: true
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-ceph
+ emptyDir: {}
+ - name: ceph-provisioners-bin
+ configMap:
+ name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin" | quote }}
+ defaultMode: 0555
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/job-image-repo-sync.yaml b/charts/ceph-provisioners/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..60d862f
--- /dev/null
+++ b/charts/ceph-provisioners/templates/job-image-repo-sync.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "ceph-provisioners" -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/job-namespace-client-ceph-config.yaml b/charts/ceph-provisioners/templates/job-namespace-client-ceph-config.yaml
new file mode 100644
index 0000000..154df6b
--- /dev/null
+++ b/charts/ceph-provisioners/templates/job-namespace-client-ceph-config.yaml
@@ -0,0 +1,153 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_namespace_client_ceph_config .Values.deployment.client_secrets }}
+{{- $envAll := . }}
+
+{{- $randStringSuffix := randAlphaNum 5 | lower }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-ceph-ns-ceph-config-generator" }}
+{{ tuple $envAll "namespace_client_ceph_config_generator" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - create
+ - update
+ - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+ namespace: {{ .Values.storageclass.csi_rbd.parameters.adminSecretNamespace }}
+{{- else }}
+ namespace: {{ .Values.storageclass.rbd.parameters.adminSecretNamespace }}
+{{- end }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - endpoints
+ verbs:
+ - get
+ - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+ namespace: {{ .Values.storageclass.csi_rbd.parameters.adminSecretNamespace }}
+{{- else }}
+ namespace: {{ .Values.storageclass.rbd.parameters.adminSecretNamespace }}
+{{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ $serviceAccountName }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "ceph" "client-ceph-config-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "ceph-storage-keys-generator" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "client_ceph_config_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ $envAll.Values.labels.job.node_selector_key }}: {{ $envAll.Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "namespace_client_ceph_config_generator" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ceph-storage-keys-generator
+{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.secret_provisioning | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "client_ceph_config_generator" "container" "ceph_storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: CEPH_CONF_ETC
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+ value: {{ .Values.storageclass.csi_rbd.ceph_configmap_name }}
+{{- else }}
+ value: {{ .Values.storageclass.rbd.ceph_configmap_name }}
+{{- end }}
+ - name: DEPLOYMENT_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: PVC_CEPH_RBD_STORAGECLASS_DEPLOYED_NAMESPACE
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+ value: {{ .Values.storageclass.csi_rbd.parameters.adminSecretNamespace }}
+{{- else }}
+ value: {{ .Values.storageclass.rbd.parameters.adminSecretNamespace }}
+{{- end }}
+ - name: MON_PORT
+ value: {{ tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+ - name: MON_PORT_V2
+ value: {{ tuple "ceph_mon" "internal" "mon_msgr2" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+
+ command:
+ - /tmp/provisioner-rbd-namespace-client-ceph-config-manager.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-etc-ceph
+ mountPath: /etc/ceph
+ - name: ceph-provisioners-bin-clients
+ mountPath: /tmp/provisioner-rbd-namespace-client-ceph-config-manager.sh
+ subPath: provisioner-rbd-namespace-client-ceph-config-manager.sh
+ readOnly: true
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-ceph
+ emptyDir: {}
+ - name: ceph-provisioners-bin-clients
+ configMap:
+ name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin-clients" | quote }}
+ defaultMode: 0555
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/job-namespace-client-key-cleaner.yaml b/charts/ceph-provisioners/templates/job-namespace-client-key-cleaner.yaml
new file mode 100644
index 0000000..189f32f
--- /dev/null
+++ b/charts/ceph-provisioners/templates/job-namespace-client-key-cleaner.yaml
@@ -0,0 +1,105 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_namespace_client_key_cleaner .Values.deployment.client_secrets }}
+{{- $envAll := . }}
+
+{{- $randStringSuffix := randAlphaNum 5 | lower }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-ceph-ns-key-cleaner" }}
+{{ tuple $envAll "namespace_client_key_cleaner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ $serviceAccountName }}
+ annotations:
+ "helm.sh/hook": pre-delete
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "ceph" "client-key-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "client_key_cleaner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ $envAll.Values.labels.job.node_selector_key }}: {{ $envAll.Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "namespace_client_key_cleaner" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ceph-namespace-client-keys-cleaner
+{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.secret_provisioning | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "client_key_cleaner" "container" "ceph_namespace_client_keys_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: DEPLOYMENT_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: PVC_CEPH_RBD_STORAGECLASS_USER_SECRET_NAME
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+ value: {{ .Values.storageclass.csi_rbd.parameters.userSecretName }}
+{{- else }}
+ value: {{ .Values.storageclass.rbd.parameters.userSecretName }}
+{{- end }}
+ command:
+ - /tmp/provisioner-rbd-namespace-client-key-cleaner.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-etc-ceph
+ mountPath: /etc/ceph
+ - name: ceph-provisioners-bin-clients
+ mountPath: /tmp/provisioner-rbd-namespace-client-key-cleaner.sh
+ subPath: provisioner-rbd-namespace-client-key-cleaner.sh
+ readOnly: true
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-ceph
+ emptyDir: {}
+ - name: ceph-provisioners-bin-clients
+ configMap:
+ name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin-clients" | quote }}
+ defaultMode: 0555
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/job-namespace-client-key.yaml b/charts/ceph-provisioners/templates/job-namespace-client-key.yaml
new file mode 100644
index 0000000..1bcc15d
--- /dev/null
+++ b/charts/ceph-provisioners/templates/job-namespace-client-key.yaml
@@ -0,0 +1,151 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_namespace_client_key .Values.deployment.client_secrets }}
+{{- $envAll := . }}
+
+{{- $randStringSuffix := randAlphaNum 5 | lower }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-ceph-ns-key-generator" }}
+{{ tuple $envAll "namespace_client_key_generator" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - create
+ - update
+ - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+ namespace: {{ .Values.storageclass.csi_rbd.parameters.adminSecretNamespace }}
+{{- else }}
+ namespace: {{ .Values.storageclass.rbd.parameters.adminSecretNamespace }}
+{{- end }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+ namespace: {{ .Values.storageclass.csi_rbd.parameters.adminSecretNamespace }}
+{{- else }}
+ namespace: {{ .Values.storageclass.rbd.parameters.adminSecretNamespace }}
+{{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ $serviceAccountName }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "ceph" "client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "ceph-storage-keys-generator" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "client_key_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ $envAll.Values.labels.job.node_selector_key }}: {{ $envAll.Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "namespace_client_key_generator" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ceph-storage-keys-generator
+{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.secret_provisioning | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "client_key_generator" "container" "ceph_storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: DEPLOYMENT_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+{{- if eq .Values.storageclass.csi_rbd.provision_storage_class true }}
+ - name: PVC_CEPH_RBD_STORAGECLASS_USER_SECRET_NAME
+ value: {{ .Values.storageclass.csi_rbd.parameters.userSecretName }}
+ - name: PVC_CEPH_RBD_STORAGECLASS_ADMIN_SECRET_NAME
+ value: {{ .Values.storageclass.csi_rbd.parameters.adminSecretName }}
+ - name: PVC_CEPH_RBD_STORAGECLASS_DEPLOYED_NAMESPACE
+ value: {{ .Values.storageclass.csi_rbd.parameters.adminSecretNamespace }}
+{{- else }}
+ - name: PVC_CEPH_RBD_STORAGECLASS_USER_SECRET_NAME
+ value: {{ .Values.storageclass.rbd.parameters.userSecretName }}
+ - name: PVC_CEPH_RBD_STORAGECLASS_ADMIN_SECRET_NAME
+ value: {{ .Values.storageclass.rbd.parameters.adminSecretName }}
+ - name: PVC_CEPH_RBD_STORAGECLASS_DEPLOYED_NAMESPACE
+ value: {{ .Values.storageclass.rbd.parameters.adminSecretNamespace }}
+{{- end }}
+ command:
+ - /tmp/provisioner-rbd-namespace-client-key-manager.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-etc-ceph
+ mountPath: /etc/ceph
+ - name: ceph-provisioners-bin-clients
+ mountPath: /tmp/provisioner-rbd-namespace-client-key-manager.sh
+ subPath: provisioner-rbd-namespace-client-key-manager.sh
+ readOnly: true
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-ceph
+ emptyDir: {}
+ - name: ceph-provisioners-bin-clients
+ configMap:
+ name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin-clients" | quote }}
+ defaultMode: 0555
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/pod-helm-tests.yaml b/charts/ceph-provisioners/templates/pod-helm-tests.yaml
new file mode 100644
index 0000000..3edb521
--- /dev/null
+++ b/charts/ceph-provisioners/templates/pod-helm-tests.yaml
@@ -0,0 +1,117 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.deployment.client_secrets .Values.manifests.helm_tests }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := printf "%s-%s" $envAll.Release.Name "test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - persistentvolumes
+ - persistentvolumeclaims
+ - events
+ - pods
+ - pods/log
+ - configmaps
+ verbs:
+ - create
+ - get
+ - delete
+ - list
+ - apiGroups:
+ - storage.k8s.io
+ resources:
+ - storageclasses
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: {{ $serviceAccountName }}
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{.Release.Name}}-test"
+ labels:
+{{ tuple $envAll "ceph" "provisioner-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ "helm.sh/hook": test-success
+{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "init" "ceph-provisioner-helm-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
+ restartPolicy: Never
+ serviceAccountName: {{ $serviceAccountName }}
+ nodeSelector:
+ {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "tests" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+ containers:
+ - name: ceph-provisioner-helm-test
+{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
+ env:
+ - name: PVC_NAMESPACE
+ value: {{ .Release.Namespace }}
+ - name: RBD_TEST_POD_NAME
+ value: {{ .Values.pod.test_pod.rbd.name }}
+ - name: RBD_TEST_PVC_NAME
+ value: {{ .Values.pod.test_pod.rbd.pvc_name }}
+ - name: CSI_RBD_TEST_POD_NAME
+ value: {{ .Values.pod.test_pod.csi_rbd.name }}
+ - name: CSI_RBD_TEST_PVC_NAME
+ value: {{ .Values.pod.test_pod.csi_rbd.pvc_name }}
+ - name: CEPHFS_TEST_POD_NAME
+ value: {{ .Values.pod.test_pod.cephfs.name }}
+ - name: CEPHFS_TEST_PVC_NAME
+ value: {{ .Values.pod.test_pod.cephfs.pvc_name }}
+ - name: TEST_POD_WAIT_TIMEOUT
+ value: {{ .Values.pod.test_pod.wait_timeout | quote }}
+ command:
+ - /tmp/helm-tests.sh
+ volumeMounts:
+ - name: ceph-provisioners-bin-clients
+ mountPath: /tmp/helm-tests.sh
+ subPath: helm-tests.sh
+ readOnly: true
+ - name: pod-tmp
+ mountPath: /tmp
+ volumes:
+ - name: ceph-provisioners-bin-clients
+ configMap:
+ name: {{ printf "%s-%s" $envAll.Release.Name "ceph-prov-bin-clients" | quote }}
+ defaultMode: 0555
+ - name: pod-tmp
+ emptyDir: {}
+{{- end }}
diff --git a/charts/ceph-provisioners/templates/storageclass.yaml b/charts/ceph-provisioners/templates/storageclass.yaml
new file mode 100644
index 0000000..11d1bcd
--- /dev/null
+++ b/charts/ceph-provisioners/templates/storageclass.yaml
@@ -0,0 +1,19 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.storageclass (.Values.deployment.ceph) }}
+{{- range $storageclass, $val := .Values.storageclass }}
+{{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+{{- end }}
+{{- end }}
diff --git a/charts/ceph-provisioners/values.yaml b/charts/ceph-provisioners/values.yaml
new file mode 100644
index 0000000..f8d3381
--- /dev/null
+++ b/charts/ceph-provisioners/values.yaml
@@ -0,0 +1,458 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for ceph-client.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+deployment:
+ ceph: true
+ client_secrets: false
+ # Original rbd_provisioner is now DEPRECATED. It will be removed in the
+ # next release; CSI RBD provisioner should be used instead.
+ rbd_provisioner: true
+ csi_rbd_provisioner: true
+ cephfs_provisioner: true
+
+release_group: null
+
+images:
+ pull_policy: IfNotPresent
+ tags:
+ ceph_bootstrap: 'docker.io/openstackhelm/ceph-daemon:change_770201_ubuntu_bionic-20210113'
+ ceph_cephfs_provisioner: 'docker.io/openstackhelm/ceph-cephfs-provisioner:ubuntu_bionic-20200521'
+ ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:change_770201_ubuntu_bionic-20210113'
+ ceph_rbd_provisioner: 'docker.io/openstackhelm/ceph-rbd-provisioner:change_770201_ubuntu_bionic-20210113'
+ csi_provisioner: 'quay.io/k8scsi/csi-provisioner:v1.6.0'
+ csi_snapshotter: 'quay.io/k8scsi/csi-snapshotter:v2.1.1'
+ csi_attacher: 'quay.io/k8scsi/csi-attacher:v2.1.1'
+ csi_resizer: 'quay.io/k8scsi/csi-resizer:v0.4.0'
+ csi_registrar: 'quay.io/k8scsi/csi-node-driver-registrar:v1.2.0'
+ cephcsi: 'quay.io/cephcsi/cephcsi:v3.1.0'
+ dep_check: 'quay.io/airshipit/kubernetes-entrypoint:v1.0.0'
+ image_repo_sync: 'docker.io/library/docker:17.07.0'
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+labels:
+ job:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ test:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ provisioner:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ csi_rbd_plugin:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+pod:
+ test_pod:
+ wait_timeout: 600
+ rbd:
+ name: rbd-prov-test-pod
+ pvc_name: rbd-prov-test-pvc
+ csi_rbd:
+ name: csi-rbd-prov-test-pod
+ pvc_name: csi-rbd-prov-test-pvc
+ cephfs:
+ name: cephfs-prov-test-pod
+ pvc_name: cephfs-prov-test-pvc
+ security_context:
+ provisioner:
+ pod:
+ runAsUser: 0
+ container:
+ ceph_cephfs_provisioner:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ ceph_rbd_provisioner:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ ceph_rbd_snapshotter:
+ privileged: true
+ ceph_rbd_attacher:
+ privileged: true
+ ceph_rbd_resizer:
+ privileged: true
+ ceph_rbd_cephcsi:
+ privileged: true
+ capabilities:
+ add: ["SYS_ADMIN"]
+ plugin:
+ pod:
+ runAsUser: 0
+ container:
+ ceph_rbd_registrar:
+ privileged: true
+ capabilities:
+ add: ["SYS_ADMIN"]
+ ceph_csi_rbd_plugin:
+ privileged: true
+ capabilities:
+ add: ["SYS_ADMIN"]
+ allowPrivilegeEscalation: true
+ bootstrap:
+ pod:
+ runAsUser: 99
+ container:
+ ceph_client_bootstrap:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ cephfs_client_key_generator:
+ pod:
+ runAsUser: 99
+ container:
+ ceph_storage_keys_generator:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ client_key_cleaner:
+ pod:
+ runAsUser: 99
+ container:
+ ceph_namespace_client_keys_cleaner:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ client_key_generator:
+ pod:
+ runAsUser: 99
+ container:
+ ceph_storage_keys_generator:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ test:
+ pod:
+ runAsUser: 0
+ container:
+ test:
+ readOnlyRootFilesystem: true
+ dns_policy: "ClusterFirstWithHostNet"
+ replicas:
+ cephfs_provisioner: 2
+ rbd_provisioner: 2
+ csi_rbd_provisioner: 2
+ lifecycle:
+ upgrades:
+ deployments:
+ pod_replacement_strategy: Recreate
+ daemonsets:
+ pod_replacement_strategy: RollingUpdate
+ plugin:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ weight:
+ default: 10
+ resources:
+ enabled: false
+ rbd_provisioner:
+ requests:
+ memory: "5Mi"
+ cpu: "250m"
+ limits:
+ memory: "50Mi"
+ cpu: "500m"
+ csi_rbd_provisioner:
+ requests:
+ memory: "5Mi"
+ cpu: "250m"
+ limits:
+ memory: "50Mi"
+ cpu: "500m"
+ cephfs_provisioner:
+ requests:
+ memory: "5Mi"
+ cpu: "250m"
+ limits:
+ memory: "50Mi"
+ cpu: "500m"
+ rbd_attacher:
+ requests:
+ memory: "5Mi"
+ cpu: "250m"
+ limits:
+ memory: "50Mi"
+ cpu: "500m"
+ rbd_registrar:
+ requests:
+ memory: "5Mi"
+ cpu: "250m"
+ limits:
+ memory: "50Mi"
+ cpu: "500m"
+ rbd_resizer:
+ requests:
+ memory: "5Mi"
+ cpu: "250m"
+ limits:
+ memory: "50Mi"
+ cpu: "500m"
+ rbd_snapshotter:
+ requests:
+ memory: "5Mi"
+ cpu: "250m"
+ limits:
+ memory: "50Mi"
+ cpu: "500m"
+ rbd_cephcsi:
+ requests:
+ memory: "5Mi"
+ cpu: "250m"
+ limits:
+ memory: "50Mi"
+ cpu: "500m"
+ jobs:
+ bootstrap:
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ requests:
+ memory: "128Mi"
+ cpu: "500m"
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ tolerations:
+ rbd_provisioner:
+ tolerations:
+ - effect: NoExecute
+ key: node.kubernetes.io/not-ready
+ operator: Exists
+ tolerationSeconds: 60
+ - effect: NoExecute
+ key: node.kubernetes.io/unreachable
+ operator: Exists
+ tolerationSeconds: 60
+ csi_rbd_provisioner:
+ tolerations:
+ - effect: NoExecute
+ key: node.kubernetes.io/not-ready
+ operator: Exists
+ tolerationSeconds: 60
+ - effect: NoExecute
+ key: node.kubernetes.io/unreachable
+ operator: Exists
+ tolerationSeconds: 60
+ cephfs_provisioner:
+ tolerations:
+ - effect: NoExecute
+ key: node.kubernetes.io/not-ready
+ operator: Exists
+ tolerationSeconds: 60
+ - effect: NoExecute
+ key: node.kubernetes.io/unreachable
+ operator: Exists
+ tolerationSeconds: 60
+
+secrets:
+ keyrings:
+ admin: ceph-client-admin-keyring
+ prov_adminSecretName: pvc-ceph-conf-combined-storageclass
+
+network:
+ public: 192.168.0.0/16
+ cluster: 192.168.0.0/16
+
+conf:
+ ceph:
+ global:
+ # auth
+ cephx: true
+ cephx_require_signatures: false
+ cephx_cluster_require_signatures: true
+ cephx_service_require_signatures: false
+ objecter_inflight_op_bytes: "1073741824"
+ objecter_inflight_ops: 10240
+ debug_ms: "0/0"
+ log_file: /dev/stdout
+ mon_cluster_log_file: /dev/stdout
+ osd:
+ osd_mkfs_type: xfs
+ osd_mkfs_options_xfs: -f -i size=2048
+ osd_max_object_name_len: 256
+ ms_bind_port_min: 6800
+ ms_bind_port_max: 7100
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - ceph-provisioners-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ bootstrap:
+ jobs: null
+ services:
+ - endpoint: internal
+ service: ceph_mon
+ cephfs_client_key_generator:
+ jobs: null
+ cephfs_provisioner:
+ jobs:
+ - ceph-rbd-pool
+ services:
+ - endpoint: internal
+ service: ceph_mon
+ namespace_client_key_cleaner:
+ jobs: null
+ namespace_client_key_generator:
+ jobs: null
+ rbd_provisioner:
+ jobs:
+ - ceph-rbd-pool
+ services:
+ - endpoint: internal
+ service: ceph_mon
+ csi_rbd_provisioner:
+ jobs:
+ - ceph-rbd-pool
+ services:
+ - endpoint: internal
+ service: ceph_mon
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+
+bootstrap:
+ enabled: false
+ script: |
+ ceph -s
+ function ensure_pool () {
+ ceph osd pool stats $1 || ceph osd pool create $1 $2
+ if [[ $(ceph mon versions | awk '/version/{print $3}' | cut -d. -f1) -ge 12 ]]; then
+ ceph osd pool application enable $1 $3
+ fi
+ }
+ #ensure_pool volumes 8 cinder
+
+# if you change provision_storage_class to false
+# it is presumed you manage your own storage
+# class definition externally
+# NOTE(kranthikirang) We iterate over each storageclass parameters
+# and derive the manifest.
+storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: ceph.com/rbd
+ ceph_configmap_name: ceph-etc
+ metadata:
+ name: general-rbd
+ parameters:
+ pool: rbd
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ imageFormat: "2"
+ imageFeatures: layering
+ csi_rbd:
+ provision_storage_class: true
+ provisioner: ceph.rbd.csi.ceph.com
+ ceph_configmap_name: ceph-etc
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ clusterID: ceph
+ csi.storage.k8s.io/controller-expand-secret-name: pvc-ceph-conf-combined-storageclass
+ csi.storage.k8s.io/controller-expand-secret-namespace: ceph
+ csi.storage.k8s.io/fstype: ext4
+ csi.storage.k8s.io/node-stage-secret-name: pvc-ceph-conf-combined-storageclass
+ csi.storage.k8s.io/node-stage-secret-namespace: ceph
+ csi.storage.k8s.io/provisioner-secret-name: pvc-ceph-conf-combined-storageclass
+ csi.storage.k8s.io/provisioner-secret-namespace: ceph
+ imageFeatures: layering
+ imageFormat: "2"
+ pool: rbd
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ cephfs:
+ provision_storage_class: true
+ provisioner: ceph.com/cephfs
+ metadata:
+ name: cephfs
+ parameters:
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ ceph_mon:
+ namespace: null
+ hosts:
+ default: ceph-mon
+ discovery: ceph-mon-discovery
+ host_fqdn_override:
+ default: null
+ port:
+ mon:
+ default: 6789
+ mon_msgr2:
+ default: 3300
+
+
+manifests:
+ configmap_bin: true
+ configmap_bin_common: true
+ configmap_etc: true
+ deployment_rbd_provisioner: true
+ # Original rbd_provisioner is now DEPRECATED. It will be removed in the
+ # next release; CSI RBD provisioner should be used instead.
+ deployment_csi_rbd_provisioner: true
+ deployment_cephfs_provisioner: true
+ job_bootstrap: false
+ job_cephfs_client_key: true
+ job_image_repo_sync: true
+ job_namespace_client_key_cleaner: true
+ job_namespace_client_key: true
+ job_namespace_client_ceph_config: true
+ storageclass: true
+ helm_tests: true
+...
diff --git a/charts/ceph-provisioners/values_overrides/apparmor.yaml b/charts/ceph-provisioners/values_overrides/apparmor.yaml
new file mode 100644
index 0000000..0d3ed72
--- /dev/null
+++ b/charts/ceph-provisioners/values_overrides/apparmor.yaml
@@ -0,0 +1,37 @@
+---
+pod:
+ mandatory_access_control:
+ type: apparmor
+ ceph-cephfs-provisioner:
+ ceph-cephfs-provisioner: runtime/default
+ init: runtime/default
+ ceph-cephfs-client-key-generator:
+ ceph-storage-keys-generator: runtime/default
+ init: runtime/default
+ ceph-rbd-provisioner:
+ ceph-rbd-provisioner: runtime/default
+ init: runtime/default
+ ceph-rbd-csi-provisioner:
+ ceph-rbd-provisioner: runtime/default
+ init: runtime/default
+ ceph-rbd-snapshotter: runtime/default
+ ceph-rbd-attacher: runtime/default
+ csi-resizer: runtime/default
+ csi-rbdplugin: runtime/default
+ ceph-provisioner-test:
+ init: runtime/default
+ ceph-provisioner-helm-test: runtime/default
+ ceph-osh-infra-config-test:
+ init: runtime/default
+ ceph-provisioner-helm-test: runtime/default
+ ceph-provisioners-ceph-ns-key-generator:
+ ceph-storage-keys-generator: runtime/default
+ init: runtime/default
+ ceph-rbd-plugin:
+ driver-registrar: runtime/default
+ csi-rbdplugin: runtime/default
+ init: runtime/default
+
+deployment:
+ client_secrets: true
+...
diff --git a/charts/cinder/.helmignore b/charts/cinder/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/cinder/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/cinder/Chart.yaml b/charts/cinder/Chart.yaml
new file mode 100644
index 0000000..c769da8
--- /dev/null
+++ b/charts/cinder/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Cinder
+home: https://docs.openstack.org/cinder/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Cinder/OpenStack_Project_Cinder_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: cinder
+sources:
+- https://opendev.org/openstack/cinder
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.25
diff --git a/charts/cinder/charts/helm-toolkit/Chart.yaml b/charts/cinder/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..4f9e6e5
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.46
diff --git a/charts/cinder/charts/helm-toolkit/requirements.yaml b/charts/cinder/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/cinder/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..70e64cc
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,729 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network.kibana.ingress -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a authenticating a registry with a secret
+examples:
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..516d79e
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,514 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+ local A_FILE="$1"
+ awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f fd ]]; then
+ rm -f fd
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ fi
+ done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ get_backup_prefix $(cat $DB_BACKUP_FILES)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+ remove_old_remote_archives
+ done
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f8-
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+ - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/cinder/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/cinder/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_template.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/cinder/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cinder/charts/helm-toolkit/values.yaml b/charts/cinder/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/cinder/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/cinder/requirements.lock b/charts/cinder/requirements.lock
new file mode 100644
index 0000000..a35c5a5
--- /dev/null
+++ b/charts/cinder/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: 0.2.46
+digest: sha256:4baae4035ac4ec09ff414ac48d8f1e3f030d1ce1629727cb1ff24d44ffa000f1
+generated: "2022-08-17T17:14:30.083437397Z"
diff --git a/charts/cinder/requirements.yaml b/charts/cinder/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/cinder/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: ">= 0.1.0"
diff --git a/charts/cinder/templates/bin/_backup-storage-init.sh.tpl b/charts/cinder/templates/bin/_backup-storage-init.sh.tpl
new file mode 100644
index 0000000..cd2389c
--- /dev/null
+++ b/charts/cinder/templates/bin/_backup-storage-init.sh.tpl
@@ -0,0 +1,72 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+if [[ $STORAGE_BACKEND =~ 'cinder.backup.drivers.ceph' ]]; then
+ SECRET=$(mktemp --suffix .yaml)
+ KEYRING=$(mktemp --suffix .keyring)
+ function cleanup {
+ rm -f ${SECRET} ${KEYRING}
+ }
+ trap cleanup EXIT
+fi
+
+set -ex
+if [[ $STORAGE_BACKEND =~ 'cinder.backup.drivers.swift' ]] || \
+ [[ $STORAGE_BACKEND =~ 'cinder.backup.drivers.posix' ]]; then
+ echo "INFO: no action required to use $STORAGE_BACKEND"
+elif [[ $STORAGE_BACKEND =~ 'cinder.backup.drivers.ceph' ]]; then
+ ceph -s
+ function ensure_pool () {
+ ceph osd pool stats $1 || ceph osd pool create $1 $2
+ if [[ $(ceph mgr versions | awk '/version/{print $3}' | cut -d. -f1) -ge 12 ]]; then
+ ceph osd pool application enable $1 $3
+ fi
+ size_protection=$(ceph osd pool get $1 nosizechange | cut -f2 -d: | tr -d '[:space:]')
+ ceph osd pool set $1 nosizechange 0
+ ceph osd pool set $1 size ${RBD_POOL_REPLICATION}
+ ceph osd pool set $1 nosizechange ${size_protection}
+ ceph osd pool set $1 crush_rule "${RBD_POOL_CRUSH_RULE}"
+ }
+ ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} ${RBD_POOL_APP_NAME}
+
+ if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
+ echo "Cephx user client.${RBD_POOL_USER} already exists"
+ echo "Update its cephx caps"
+ ceph auth caps client.${RBD_POOL_USER} \
+ mon "profile rbd" \
+ osd "profile rbd pool=${RBD_POOL_NAME}"
+ ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
+ else
+ ceph auth get-or-create client.${RBD_POOL_USER} \
+ mon "profile rbd" \
+ osd "profile rbd pool=${RBD_POOL_NAME}" \
+ -o ${KEYRING}
+ fi
+
+ ENCODED_KEYRING=$(sed -n 's/^[[:blank:]]*key[[:blank:]]\+=[[:blank:]]\(.*\)/\1/p' ${KEYRING} | base64 -w0)
+ cat > ${SECRET} <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+ name: "${RBD_POOL_SECRET}"
+type: kubernetes.io/rbd
+data:
+ key: $( echo ${ENCODED_KEYRING} )
+EOF
+ kubectl apply --namespace ${NAMESPACE} -f ${SECRET}
+
+fi
diff --git a/charts/cinder/templates/bin/_bootstrap.sh.tpl b/charts/cinder/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..49d99c5
--- /dev/null
+++ b/charts/cinder/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,118 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+{{- if .Values.bootstrap.enabled | default "echo 'Not Enabled'" }}
+
+ {{- /* Create volume types defined in Values.bootstrap */}}
+ {{- /* Types can only be created for backends defined in Values.conf */}}
+ {{- $volumeTypes := .Values.bootstrap.volume_types }}
+ {{- /* Generating list of backends listed in .Values.conf.backends */}}
+ {{- $backendsList := list}}
+ {{- range $backend_name, $backend_properties := .Values.conf.backends }}
+ {{- if and $backend_properties $backend_properties.volume_backend_name }}
+ {{- $backendsList = append $backendsList $backend_properties.volume_backend_name }}
+ {{- end }}
+ {{- end }}
+
+ {{- range $name, $properties := $volumeTypes }}
+ {{- if and $properties.volume_backend_name (has $properties.volume_backend_name $backendsList) }}
+ {{- $access_type := $properties.access_type | default "public"}}
+ # Create a volume type if it doesn't exist.
+ # Assumption: the volume type name is unique.
+ openstack volume type show {{ $name }} || \
+ openstack volume type create \
+ --{{ $access_type }} \
+ {{ $name }}
+ {{/*
+ We will try to set or update volume type properties.
+ To update properties, the volume type MUST NOT BE IN USE,
+ and projects and domains with access to the volume type
+ MUST EXIST, as well.
+ */}}
+ is_in_use=$(openstack volume list --long --all-projects -c Type -f value | grep -E "^{{ $name }}\s*$" || true)
+ if [[ -z ${is_in_use} ]]; then
+ {{- if (eq $access_type "private") }}
+ volumeTypeID=$(openstack volume type show {{ $name }} -f value -c id)
+ cinder type-update --is-public false ${volumeTypeID}
+ {{- end }}
+
+ {{- if and $properties.grant_access (eq $access_type "private") }}
+ {{- range $domain, $domainProjects := $properties.grant_access }}
+ {{- range $project := $domainProjects }}
+ project_id=$(openstack project show --domain {{ $domain }} -c id -f value {{ $project }})
+ if [[ -z $(openstack volume type show {{ $name }} -c access_project_ids -f value | grep ${project_id} || true) ]]; then
+ openstack volume type set --project-domain {{ $domain }} --project {{ $project }} {{ $name }}
+ fi
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{- range $key, $value := $properties }}
+ {{- if and (ne $key "access_type") (ne $key "grant_access") $value }}
+ openstack volume type set --property {{ $key }}={{ $value }} {{ $name }}
+ {{- end }}
+ {{- end }}
+ fi
+ {{- end }}
+ {{- end }}
+
+ {{- /* Create volumes defined in Values.conf.backends */}}
+ {{- if .Values.bootstrap.bootstrap_conf_backends }}
+ {{- range $name, $properties := .Values.conf.backends }}
+ {{- if $properties }}
+ openstack volume type show {{ $name }} || \
+ openstack volume type create \
+ --public \
+ --property volume_backend_name={{ $properties.volume_backend_name }} \
+ {{ $name }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{- /* Create and associate volume QoS if defined */}}
+ {{- if .Values.bootstrap.volume_qos}}
+ {{- range $qos_name, $qos_properties := .Values.bootstrap.volume_qos }}
+ type_defined=true
+ {{- /* If the volume type to associate with is not defined, skip the qos */}}
+ {{- range $qos_properties.associates }}
+ if ! openstack volume type show {{ . }}; then
+ type_defined=false
+ fi
+ {{- end }}
+ if [[ ${type_defined} ]]; then
+ openstack volume qos show {{ $qos_name }} || \
+ openstack volume qos create \
+ --consumer {{ $qos_properties.consumer }} \
+ {{- range $key, $value := $qos_properties.properties }}
+ --property {{ $key }}={{ $value }} \
+ {{- end }}
+ {{ $qos_name }}
+ {{- range $qos_properties.associates }}
+ openstack volume qos associate {{ $qos_name }} {{ . }}
+ {{- end }}
+ fi
+ {{- end }}
+ {{- end }}
+
+{{- /* Check volume type and properties were added */}}
+openstack volume type list --long
+openstack volume qos list
+{{- end }}
+
+exit 0
diff --git a/charts/cinder/templates/bin/_ceph-admin-keyring.sh.tpl b/charts/cinder/templates/bin/_ceph-admin-keyring.sh.tpl
new file mode 100644
index 0000000..f19bf03
--- /dev/null
+++ b/charts/cinder/templates/bin/_ceph-admin-keyring.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cat <<EOF > /etc/ceph/ceph.client.admin.keyring
+[client.admin]
+{{- if .Values.conf.ceph.admin_keyring }}
+ key = {{ .Values.conf.ceph.admin_keyring }}
+{{- else }}
+ key = $(cat /tmp/client-keyring)
+{{- end }}
+EOF
+
+exit 0
diff --git a/charts/cinder/templates/bin/_ceph-keyring.sh.tpl b/charts/cinder/templates/bin/_ceph-keyring.sh.tpl
new file mode 100644
index 0000000..521a748
--- /dev/null
+++ b/charts/cinder/templates/bin/_ceph-keyring.sh.tpl
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cat <<EOF > /etc/ceph/ceph.client.${RBD_USER}.keyring
+[client.${RBD_USER}]
+ key = $(cat /tmp/client-keyring)
+EOF
+
+{{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.rbd_user }}
+cat <<EOF > /etc/ceph/ceph.client.${EXTERNAL_RBD_USER}.keyring
+[client.${EXTERNAL_RBD_USER}]
+ key = $(cat /tmp/external-ceph-client-keyring)
+EOF
+{{- end }}
+
+exit 0
diff --git a/charts/cinder/templates/bin/_cinder-api.sh.tpl b/charts/cinder/templates/bin/_cinder-api.sh.tpl
new file mode 100644
index 0000000..3b64745
--- /dev/null
+++ b/charts/cinder/templates/bin/_cinder-api.sh.tpl
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+{{- if .Values.manifests.certificates }}
+ for WSGI_SCRIPT in cinder-wsgi; do
+ cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/cinder/
+ done
+
+ if [ -f /etc/apache2/envvars ]; then
+ # Loading Apache2 ENV variables
+ source /etc/apache2/envvars
+ mkdir -p ${APACHE_RUN_DIR}
+ fi
+
+{{- if .Values.conf.software.apache2.a2enmod }}
+ {{- range .Values.conf.software.apache2.a2enmod }}
+ a2enmod {{ . }}
+ {{- end }}
+{{- end }}
+
+{{- if .Values.conf.software.apache2.a2dismod }}
+ {{- range .Values.conf.software.apache2.a2dismod }}
+ a2dismod {{ . }}
+ {{- end }}
+{{- end }}
+
+ if [ -f /var/run/apache2/apache2.pid ]; then
+ # Remove the stale pid for debian/ubuntu images
+ rm -f /var/run/apache2/apache2.pid
+ fi
+ # Starts Apache2
+ exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+{{- else }}
+ exec cinder-api \
+ --config-file /etc/cinder/cinder.conf
+{{- end }}
+}
+
+function stop () {
+{{- if .Values.manifests.certificates }}
+ if [ -f /etc/apache2/envvars ]; then
+ # Loading Apache2 ENV variables
+ source /etc/apache2/envvars
+ mkdir -p ${APACHE_RUN_DIR}
+ fi
+ {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+{{- else }}
+ kill -TERM 1
+{{- end }}
+}
+
+$COMMAND
diff --git a/charts/cinder/templates/bin/_cinder-backup.sh.tpl b/charts/cinder/templates/bin/_cinder-backup.sh.tpl
new file mode 100644
index 0000000..77795e2
--- /dev/null
+++ b/charts/cinder/templates/bin/_cinder-backup.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec cinder-backup \
+ --config-file /etc/cinder/cinder.conf
diff --git a/charts/cinder/templates/bin/_cinder-scheduler.sh.tpl b/charts/cinder/templates/bin/_cinder-scheduler.sh.tpl
new file mode 100644
index 0000000..cf06388
--- /dev/null
+++ b/charts/cinder/templates/bin/_cinder-scheduler.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec cinder-scheduler \
+ --config-file /etc/cinder/cinder.conf
diff --git a/charts/cinder/templates/bin/_cinder-volume.sh.tpl b/charts/cinder/templates/bin/_cinder-volume.sh.tpl
new file mode 100644
index 0000000..68186f3
--- /dev/null
+++ b/charts/cinder/templates/bin/_cinder-volume.sh.tpl
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec cinder-volume \
+ --config-file /etc/cinder/cinder.conf \
+ --config-file /etc/cinder/conf/backends.conf \
+ --config-file /tmp/pod-shared/internal_tenant.conf
diff --git a/charts/cinder/templates/bin/_clean-secrets.sh.tpl b/charts/cinder/templates/bin/_clean-secrets.sh.tpl
new file mode 100644
index 0000000..31b7177
--- /dev/null
+++ b/charts/cinder/templates/bin/_clean-secrets.sh.tpl
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec kubectl delete secret \
+ --namespace ${NAMESPACE} \
+ --ignore-not-found=true \
+ ${RBD_POOL_SECRET}
diff --git a/charts/cinder/templates/bin/_create-internal-tenant-id.sh.tpl b/charts/cinder/templates/bin/_create-internal-tenant-id.sh.tpl
new file mode 100644
index 0000000..dc64158
--- /dev/null
+++ b/charts/cinder/templates/bin/_create-internal-tenant-id.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ "${INTERNAL_PROJECT_NAME}");
+
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${INTERNAL_USER_NAME}");
+
diff --git a/charts/cinder/templates/bin/_db-sync.sh.tpl b/charts/cinder/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..d874c0b
--- /dev/null
+++ b/charts/cinder/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec cinder-manage db sync
diff --git a/charts/cinder/templates/bin/_external-ceph-rbd-admin-keyring.sh.tpl b/charts/cinder/templates/bin/_external-ceph-rbd-admin-keyring.sh.tpl
new file mode 100644
index 0000000..36d1b49
--- /dev/null
+++ b/charts/cinder/templates/bin/_external-ceph-rbd-admin-keyring.sh.tpl
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{- if .Values.backup.external_ceph_rbd.admin_keyring }}
+cat <<EOF > /etc/ceph/ceph.client.admin.keyring
+[client.admin]
+ key = {{ .Values.backup.external_ceph_rbd.admin_keyring }}
+EOF
+{{- else }}
+echo "ERROR: You must define the ceph admin keyring in values.yaml to use external_ceph_rbd."
+exit 1
+{{- end }}
+
+exit 0
diff --git a/charts/cinder/templates/bin/_iscsiadm.tpl b/charts/cinder/templates/bin/_iscsiadm.tpl
new file mode 100644
index 0000000..f27d757
--- /dev/null
+++ b/charts/cinder/templates/bin/_iscsiadm.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Copyright 2020 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+ iscsiadm "${@:1}"
diff --git a/charts/cinder/templates/bin/_multipath.tpl b/charts/cinder/templates/bin/_multipath.tpl
new file mode 100644
index 0000000..7f84c9c
--- /dev/null
+++ b/charts/cinder/templates/bin/_multipath.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+ multipath "${@:1}"
diff --git a/charts/cinder/templates/bin/_multipathd.tpl b/charts/cinder/templates/bin/_multipathd.tpl
new file mode 100644
index 0000000..a9ff34a
--- /dev/null
+++ b/charts/cinder/templates/bin/_multipathd.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+ multipathd "${@:1}"
diff --git a/charts/cinder/templates/bin/_retrieve-internal-tenant-id.sh.tpl b/charts/cinder/templates/bin/_retrieve-internal-tenant-id.sh.tpl
new file mode 100644
index 0000000..d770e8c
--- /dev/null
+++ b/charts/cinder/templates/bin/_retrieve-internal-tenant-id.sh.tpl
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+
+USER_PROJECT_ID=$(openstack project show -f value -c id \
+ "${INTERNAL_PROJECT_NAME}");
+
+USER_ID=$(openstack user show -f value -c id \
+ "${INTERNAL_USER_NAME}");
+
+tee /tmp/pod-shared/internal_tenant.conf <<EOF
+[DEFAULT]
+cinder_internal_tenant_project_id = ${USER_PROJECT_ID}
+cinder_internal_tenant_user_id = ${USER_ID}
+EOF
diff --git a/charts/cinder/templates/bin/_storage-init.sh.tpl b/charts/cinder/templates/bin/_storage-init.sh.tpl
new file mode 100644
index 0000000..a43115e
--- /dev/null
+++ b/charts/cinder/templates/bin/_storage-init.sh.tpl
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+if [ "x$STORAGE_BACKEND" == "xcinder.volume.drivers.rbd.RBDDriver" ]; then
+ SECRET=$(mktemp --suffix .yaml)
+ KEYRING=$(mktemp --suffix .keyring)
+ function cleanup {
+ rm -f ${SECRET} ${KEYRING}
+ }
+ trap cleanup EXIT
+fi
+
+set -ex
+if [ "x$STORAGE_BACKEND" == "xcinder.volume.drivers.rbd.RBDDriver" ]; then
+ ceph -s
+ function ensure_pool () {
+ ceph osd pool stats $1 || ceph osd pool create $1 $2
+ if [[ $(ceph mgr versions | awk '/version/{print $3}' | cut -d. -f1) -ge 12 ]]; then
+ ceph osd pool application enable $1 $3
+ fi
+ size_protection=$(ceph osd pool get $1 nosizechange | cut -f2 -d: | tr -d '[:space:]')
+ ceph osd pool set $1 nosizechange 0
+ ceph osd pool set $1 size ${RBD_POOL_REPLICATION}
+ ceph osd pool set $1 nosizechange ${size_protection}
+ ceph osd pool set $1 crush_rule "${RBD_POOL_CRUSH_RULE}"
+ }
+ ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} ${RBD_POOL_APP_NAME}
+
+ if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
+ echo "Cephx user client.${RBD_POOL_USER} already exist."
+ echo "Update its cephx caps"
+ ceph auth caps client.${RBD_POOL_USER} \
+ mon "profile rbd" \
+ osd "profile rbd"
+ ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
+ else
+ #NOTE(JCL): Restrict Cinder permissions to what is needed. MON Read only and RBD access to Cinder pool only.
+ ceph auth get-or-create client.${RBD_POOL_USER} \
+ mon "profile rbd" \
+ osd "profile rbd" \
+ -o ${KEYRING}
+ fi
+
+ ENCODED_KEYRING=$(sed -n 's/^[[:blank:]]*key[[:blank:]]\+=[[:blank:]]\(.*\)/\1/p' ${KEYRING} | base64 -w0)
+ cat > ${SECRET} <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+ name: "${RBD_POOL_SECRET}"
+type: kubernetes.io/rbd
+data:
+ key: $( echo ${ENCODED_KEYRING} )
+EOF
+ kubectl apply --namespace ${NAMESPACE} -f ${SECRET}
+
+fi
diff --git a/charts/cinder/templates/bin/_volume-usage-audit.sh.tpl b/charts/cinder/templates/bin/_volume-usage-audit.sh.tpl
new file mode 100644
index 0000000..4cdf7ac
--- /dev/null
+++ b/charts/cinder/templates/bin/_volume-usage-audit.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec cinder-volume-usage-audit --send_actions
diff --git a/charts/cinder/templates/certificates.yaml b/charts/cinder/templates/certificates.yaml
new file mode 100644
index 0000000..7ccf6ca
--- /dev/null
+++ b/charts/cinder/templates/certificates.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{ dict "envAll" . "service" "volumev3" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/charts/cinder/templates/configmap-bin.yaml b/charts/cinder/templates/configmap-bin.yaml
new file mode 100644
index 0000000..4070085
--- /dev/null
+++ b/charts/cinder/templates/configmap-bin.yaml
@@ -0,0 +1,84 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: cinder-bin
+data:
+{{- if .Values.conf.enable_iscsi }}
+ iscsiadm: |
+{{ tuple "bin/_iscsiadm.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ multipath: |
+{{ tuple "bin/_multipath.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ multipathd: |
+{{ tuple "bin/_multipathd.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+ rally-test.sh: |
+{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+ db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+ db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+ ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+ ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+ ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+ create-internal-tenant.sh: |
+{{ tuple "bin/_create-internal-tenant-id.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ retrieve-internal-tenant.sh: |
+{{ tuple "bin/_retrieve-internal-tenant-id.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ cinder-api.sh: |
+{{ tuple "bin/_cinder-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ cinder-backup.sh: |
+{{ tuple "bin/_cinder-backup.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ cinder-scheduler.sh: |
+{{ tuple "bin/_cinder-scheduler.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ cinder-volume.sh: |
+{{ tuple "bin/_cinder-volume.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ ceph-keyring.sh: |
+{{ tuple "bin/_ceph-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ ceph-admin-keyring.sh: |
+{{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ volume-usage-audit.sh: |
+{{ tuple "bin/_volume-usage-audit.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ backup-storage-init.sh: |
+{{ tuple "bin/_backup-storage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ storage-init.sh: |
+{{ tuple "bin/_storage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ clean-secrets.sh: |
+{{ tuple "bin/_clean-secrets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- if .Values.bootstrap.enabled }}
+ bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+ rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+{{- end }}
+{{- if .Values.backup.external_ceph_rbd.enabled }}
+ external-ceph-rbd-admin-keyring.sh: |
+{{ tuple "bin/_external-ceph-rbd-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/cinder/templates/configmap-etc.yaml b/charts/cinder/templates/configmap-etc.yaml
new file mode 100644
index 0000000..a2ad5f2
--- /dev/null
+++ b/charts/cinder/templates/configmap-etc.yaml
@@ -0,0 +1,167 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.cinder.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.cinder.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.cinder.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "region_name" .Values.endpoints.identity.auth.cinder.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "project_name" .Values.endpoints.identity.auth.cinder.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.cinder.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.cinder.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "username" .Values.endpoints.identity.auth.cinder.username -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "password" .Values.endpoints.identity.auth.cinder.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.cinder.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.cinder.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.cinder.database.connection -}}
+{{- $connection := tuple "oslo_db" "internal" "cinder" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.cinder.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.cinder.database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.cinder.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.cinder.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.cinder.DEFAULT.glance_api_servers -}}
+{{- $_ := tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.DEFAULT "glance_api_servers" -}}
+{{- end -}}
+
+{{- if (contains "cinder.backup.drivers.swift" .Values.conf.cinder.DEFAULT.backup_driver) }}
+{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_auth_version -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_auth_version" "3" -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.DEFAULT "backup_swift_auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user_domain -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user_domain" .Values.endpoints.identity.auth.cinder.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user" .Values.endpoints.identity.auth.cinder.username -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_key -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_key" .Values.endpoints.identity.auth.cinder.password -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project_domain -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project_domain" .Values.endpoints.identity.auth.cinder.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project" .Values.endpoints.identity.auth.cinder.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.DEFAULT.swift_catalog_info -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "swift_catalog_info" "object-store:swift:internalURL" -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.cinder.DEFAULT.osapi_volume_listen_port -}}
+{{- $_ := tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.cinder.DEFAULT "osapi_volume_listen_port" -}}
+{{- end -}}
+
+{{- if .Values.conf.cinder.service_user.send_service_user_token -}}
+{{- if empty .Values.conf.cinder.service_user.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.cinder.service_user "auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.service_user.region_name -}}
+{{- $_ := set .Values.conf.cinder.service_user "region_name" .Values.endpoints.identity.auth.cinder.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.service_user.project_name -}}
+{{- $_ := set .Values.conf.cinder.service_user "project_name" .Values.endpoints.identity.auth.cinder.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.service_user.project_domain_name -}}
+{{- $_ := set .Values.conf.cinder.service_user "project_domain_name" .Values.endpoints.identity.auth.cinder.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.service_user.user_domain_name -}}
+{{- $_ := set .Values.conf.cinder.service_user "user_domain_name" .Values.endpoints.identity.auth.cinder.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.service_user.username -}}
+{{- $_ := set .Values.conf.cinder.service_user "username" .Values.endpoints.identity.auth.cinder.username -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.service_user.password -}}
+{{- $_ := set .Values.conf.cinder.service_user "password" .Values.endpoints.identity.auth.cinder.password -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: cinder-etc
+type: Opaque
+data:
+ rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
+ cinder.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.cinder | b64enc }}
+ logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+ backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }}
+ api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
+ policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+{{- if .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cinder "key" "wsgi-cinder.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
+ api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
+ cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }}
+ rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
+ resource_filters.json: {{ toJson .Values.conf.resource_filters | b64enc }}
+{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+{{- $filePrefix := replace "_" "-" $key }}
+ {{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}
+{{- end }}
+{{- if .Values.backup.external_ceph_rbd.enabled }}
+ external-backup-ceph.conf: {{ include "helm-toolkit.utils.to_ini" .Values.backup.external_ceph_rbd.conf | b64enc }}
+{{- end }}
+{{- if .Values.ceph_client.enable_external_ceph_backend }}
+ external-ceph.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.ceph_client.external_ceph.conf | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml b/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
new file mode 100644
index 0000000..c1c317c
--- /dev/null
+++ b/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
@@ -0,0 +1,107 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_volume_usage_audit }}
+{{- $envAll := . }}
+
+{{- $mounts_cinder_volume_usage_audit := .Values.pod.mounts.cinder_volume_usage_audit.cinder_volume_usage_audit }}
+{{- $mounts_cinder_volume_usage_audit_init := .Values.pod.mounts.cinder_volume_usage_audit.init_container }}
+
+{{- $serviceAccountName := "cinder-volume-usage-audit" }}
+{{ tuple $envAll "volume_usage_audit" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+ name: cinder-volume-usage-audit
+ labels:
+{{ tuple $envAll "cinder" "volume-usage-audit" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ schedule: {{ .Values.jobs.volume_usage_audit.cron | quote }}
+ successfulJobsHistoryLimit: {{ .Values.jobs.volume_usage_audit.history.success }}
+ failedJobsHistoryLimit: {{ .Values.jobs.volume_usage_audit.history.failed }}
+ {{- if .Values.jobs.volume_usage_audit.starting_deadline }}
+ startingDeadlineSeconds: {{ .Values.jobs.volume_usage_audit.starting_deadline }}
+ {{- end }}
+ concurrencyPolicy: Forbid
+ jobTemplate:
+ metadata:
+ labels:
+{{ tuple $envAll "cinder" "volume-usage-audit" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "cinder" "volume-usage-audit" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+ annotations:
+{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "cinder-volume-usage-audit" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 12 }}
+ spec:
+{{ dict "envAll" $envAll "application" "volume_usage_audit" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "volume_usage_audit" $mounts_cinder_volume_usage_audit_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+ containers:
+ - name: cinder-volume-usage-audit
+{{ tuple $envAll "cinder_volume_usage_audit" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.volume_usage_audit | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{ dict "envAll" $envAll "application" "volume_usage_audit" "container" "cinder_volume_usage_audit" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
+ command:
+ - /tmp/volume-usage-audit.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etccinder
+ mountPath: /etc/cinder
+ - name: cinder-etc
+ mountPath: /etc/cinder/cinder.conf
+ subPath: cinder.conf
+ readOnly: true
+ {{- if .Values.conf.cinder.DEFAULT.log_config_append }}
+ - name: cinder-etc
+ mountPath: {{ .Values.conf.cinder.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.cinder.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: cinder-bin
+ mountPath: /tmp/volume-usage-audit.sh
+ subPath: volume-usage-audit.sh
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
+{{ if $mounts_cinder_volume_usage_audit.volumeMounts }}{{ toYaml $mounts_cinder_volume_usage_audit.volumeMounts | indent 16 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: etccinder
+ emptyDir: {}
+ - name: cinder-etc
+ secret:
+ secretName: cinder-etc
+ defaultMode: 0444
+ - name: cinder-bin
+ configMap:
+ name: cinder-bin
+ defaultMode: 0555
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+{{ if $mounts_cinder_volume_usage_audit.volumes }}{{ toYaml $mounts_cinder_volume_usage_audit.volumes | indent 12 }}{{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/deployment-api.yaml b/charts/cinder/templates/deployment-api.yaml
new file mode 100644
index 0000000..7925c60
--- /dev/null
+++ b/charts/cinder/templates/deployment-api.yaml
@@ -0,0 +1,185 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_cinder_api := .Values.pod.mounts.cinder_api.cinder_api }}
+{{- $mounts_cinder_api_init := .Values.pod.mounts.cinder_api.init_container }}
+
+{{- $serviceAccountName := "cinder-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: cinder-api
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.api }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "cinder-api" "containerNames" (list "cinder-api" "ceph-coordination-volume-perms" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder_api" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "api" $mounts_cinder_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+ - name: ceph-coordination-volume-perms
+{{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_api" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - chown
+ - -R
+ - "cinder:"
+ - {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-coordination
+ mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+ {{ end }}
+ containers:
+ - name: cinder-api
+{{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_api" "container" "cinder_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/cinder-api.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/cinder-api.sh
+ - stop
+ ports:
+ - name: c-api
+ containerPort: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ livenessProbe:
+ tcpSocket:
+ port: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ initialDelaySeconds: 30
+ failureThreshold: 3
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: wsgi-cinder
+ mountPath: /var/www/cgi-bin/cinder
+ - name: cinder-bin
+ mountPath: /tmp/cinder-api.sh
+ subPath: cinder-api.sh
+ readOnly: true
+ - name: cinder-etc
+ mountPath: /etc/cinder/cinder.conf
+ subPath: cinder.conf
+ readOnly: true
+ {{- if .Values.conf.cinder.DEFAULT.log_config_append }}
+ - name: cinder-etc
+ mountPath: {{ .Values.conf.cinder.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.cinder.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: cinder-etc
+ mountPath: /etc/cinder/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: cinder-etc
+ mountPath: /etc/cinder/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: cinder-etc
+ mountPath: /etc/cinder/api_audit_map.conf
+ subPath: api_audit_map.conf
+ readOnly: true
+ - name: cinder-etc
+ mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }}
+ subPath: resource_filters.json
+ readOnly: true
+{{- if .Values.conf.security }}
+ - name: cinder-etc
+ mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
+ subPath: security.conf
+ readOnly: true
+{{- end }}
+ {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+ - name: cinder-coordination
+ mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+ {{- end }}
+ {{- if .Values.manifests.certificates }}
+ - name: cinder-etc
+ mountPath: {{ .Values.conf.software.apache2.site_dir }}/cinder-api.conf
+ subPath: wsgi-cinder.conf
+ readOnly: true
+ - name: cinder-etc
+ mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
+ subPath: mpm_event.conf
+ readOnly: true
+ {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: wsgi-cinder
+ emptyDir: {}
+ - name: cinder-bin
+ configMap:
+ name: cinder-bin
+ defaultMode: 0555
+ - name: cinder-etc
+ secret:
+ secretName: cinder-etc
+ defaultMode: 0444
+ {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+ # NOTE (portdirect): this will need to be set to a shared mount amongst all cinder
+ # pods for the coordination backend to be fully functional.
+ - name: cinder-coordination
+ emptyDir: {}
+ {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/deployment-backup.yaml b/charts/cinder/templates/deployment-backup.yaml
new file mode 100644
index 0000000..b4a429b
--- /dev/null
+++ b/charts/cinder/templates/deployment-backup.yaml
@@ -0,0 +1,342 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_backup }}
+{{- $envAll := . }}
+
+{{- $internal_ceph_backend := .Values.ceph_client.internal_ceph_backend }}
+
+{{- $mounts_cinder_backup := .Values.pod.mounts.cinder_backup.cinder_backup }}
+{{- $mounts_cinder_backup_init := .Values.pod.mounts.cinder_backup.init_container }}
+
+{{- $serviceAccountName := "cinder-backup" }}
+{{ tuple $envAll "backup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: cinder-backup
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "cinder" "backup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.backup }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "cinder" "backup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "cinder" "backup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "cinder-backup" "containerNames" (list "cinder-backup" "ceph-coordination-volume-perms" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder_backup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "cinder" "backup" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.backup.node_selector_key }}: {{ .Values.labels.backup.node_selector_value }}
+{{- if .Values.pod.useHostNetwork.backup }}
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+{{- if .Values.conf.enable_iscsi }}
+ hostIPC: true
+{{- end }}
+ initContainers:
+{{ tuple $envAll "backup" $mounts_cinder_backup_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+ - name: ceph-backup-keyring-placement
+{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_backup_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/ceph-keyring.sh
+ env:
+ - name: RBD_USER
+ value: {{ .Values.conf.cinder.DEFAULT.backup_ceph_user | quote }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: cinder-bin
+ mountPath: /tmp/ceph-keyring.sh
+ subPath: ceph-keyring.sh
+ readOnly: true
+ - name: ceph-backup-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ {{- range $name := rest (splitList "," (include "cinder.utils.ceph_backend_list" $envAll)) }}
+ {{- $backend := index $envAll.Values.conf.backends $name }}
+ {{- if eq $internal_ceph_backend $name }}
+ - name: ceph-keyring-placement-{{$name}}
+{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/ceph-keyring.sh
+ env:
+ - name: RBD_USER
+ value: {{ $backend.rbd_user | quote }}
+{{- if and $envAll.Values.ceph_client.enable_external_ceph_backend $envAll.Values.ceph_client.external_ceph.rbd_user }}
+ - name: EXTERNAL_RBD_USER
+ value: {{ $envAll.Values.ceph_client.external_ceph.rbd_user | quote }}
+{{- end }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: cinder-bin
+ mountPath: /tmp/ceph-keyring.sh
+ subPath: ceph-keyring.sh
+ readOnly: true
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{- if and $envAll.Values.ceph_client.enable_external_ceph_backend $envAll.Values.ceph_client.external_ceph.rbd_user }}
+ - name: external-ceph-keyring
+ mountPath: /tmp/external-ceph-client-keyring
+ subPath: key
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if (contains "cinder.backup.drivers.posix" .Values.conf.cinder.DEFAULT.backup_driver) }}
+ - name: ceph-backup-volume-perms
+{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_backup_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - chown
+ - -R
+ - "cinder:"
+ - {{ .Values.conf.cinder.DEFAULT.backup_posix_path }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-backup
+ mountPath: {{ .Values.conf.cinder.DEFAULT.backup_posix_path }}
+ {{ end }}
+ {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+ - name: ceph-coordination-volume-perms
+{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - chown
+ - -R
+ - "cinder:"
+ - {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-coordination
+ mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+ {{ end }}
+ containers:
+ - name: cinder-backup
+{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_backup" "container" "cinder_backup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/cinder-backup.sh
+ terminationMessagePath: /var/log/termination-log
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-tmp
+ mountPath: /var/lib/cinder/tmp
+ - name: cinder-bin
+ mountPath: /tmp/cinder-backup.sh
+ subPath: cinder-backup.sh
+ readOnly: true
+ - name: cinder-etc
+ mountPath: /etc/cinder/cinder.conf
+ subPath: cinder.conf
+ readOnly: true
+ {{- if .Values.conf.cinder.DEFAULT.log_config_append }}
+ - name: cinder-etc
+ mountPath: {{ .Values.conf.cinder.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.cinder.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ {{ if or (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) (eq "true" (include "cinder.utils.has_ceph_backend" $envAll)) }}
+ - name: etcceph
+ mountPath: /etc/ceph
+ {{- if not .Values.backup.external_ceph_rbd.enabled }}
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- else }}
+ - name: cinder-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: external-backup-ceph.conf
+ readOnly: true
+ {{- end }}
+ {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+ - name: ceph-backup-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{- else }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{- end }}
+ {{- if .Values.ceph_client.enable_external_ceph_backend }}
+ - name: cinder-etc
+ mountPath: /etc/ceph/external-ceph.conf
+ subPath: external-ceph.conf
+ readOnly: true
+ {{- if .Values.ceph_client.external_ceph.rbd_user }}
+ - name: external-ceph-keyring
+ mountPath: /tmp/external-ceph-client-keyring
+ subPath: key
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if (contains "cinder.backup.drivers.posix" .Values.conf.cinder.DEFAULT.backup_driver) }}
+ - name: cinder-backup
+ mountPath: {{ .Values.conf.cinder.DEFAULT.backup_posix_path }}
+ {{- end }}
+ {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+ - name: cinder-coordination
+ mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+ {{- end }}
+ - name: cinder-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_cinder_sudoers
+ subPath: cinder_sudoers
+ readOnly: true
+ - name: cinder-etc
+ mountPath: /etc/sudoers.d/kolla_cinder_volume_sudoers
+ subPath: cinder_sudoers
+ readOnly: true
+ - name: cinder-etc
+ mountPath: /etc/cinder/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ - name: cinder-etc
+ mountPath: /etc/cinder/rootwrap.d/volume.filters
+ subPath: volume.filters
+ readOnly: true
+ {{- if .Values.conf.enable_iscsi }}
+ - name: host-rootfs
+ mountPath: /mnt/host-rootfs
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: HostToContainer
+ {{- end }}
+ - name: host-dev
+ mountPath: /dev
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: HostToContainer
+ {{- end }}
+ - name: runlock
+ mountPath: /run/lock
+ - name: etciscsi
+ mountPath: /etc/iscsi
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: HostToContainer
+ {{- end }}
+ - name: usrlocalsbin
+ mountPath: /usr/local/sbin
+ - name: cinder-bin
+ mountPath: /usr/local/sbin/iscsiadm
+ subPath: iscsiadm
+ {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_cinder_backup.volumeMounts }}{{ toYaml $mounts_cinder_backup.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: cinder-tmp
+ emptyDir: {}
+ - name: cinder-etc
+ secret:
+ secretName: cinder-etc
+ defaultMode: 0444
+ - name: cinder-bin
+ configMap:
+ name: cinder-bin
+ defaultMode: 0555
+ {{ if or (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) (eq "true" (include "cinder.utils.has_ceph_backend" $envAll)) }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ .Values.ceph_client.configmap }}
+ defaultMode: 0444
+ {{ end }}
+ {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+ - name: ceph-backup-keyring
+ secret:
+ secretName: {{ .Values.secrets.rbd.backup | quote }}
+ {{ end }}
+ {{- if eq "true" (include "cinder.utils.has_ceph_backend" $envAll) }}
+ - name: ceph-keyring
+ secret:
+ secretName: {{ .Values.secrets.rbd.volume | quote }}
+ {{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.rbd_user }}
+ - name: external-ceph-keyring
+ secret:
+ secretName: {{ .Values.secrets.rbd.volume_external | quote }}
+ {{ end }}
+ {{ end }}
+ {{- if (contains "cinder.backup.drivers.posix" .Values.conf.cinder.DEFAULT.backup_driver) }}
+ - name: cinder-backup
+ persistentVolumeClaim:
+ claimName: cinder-backup
+ {{- end }}
+ {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+ # NOTE (portdirect): this will need to be set to a shared mount amongst all cinder
+ # pods for the coordination backend to be fully functional.
+ - name: cinder-coordination
+ emptyDir: {}
+ {{- end }}
+ {{- if .Values.conf.enable_iscsi }}
+ - name: host-rootfs
+ hostPath:
+ path: /
+ - name: host-dev
+ hostPath:
+ path: /dev
+ - name: runlock
+ hostPath:
+ path: /run/lock
+ - name: etciscsi
+ hostPath:
+ path: /etc/iscsi
+ - name: usrlocalsbin
+ emptyDir: {}
+ {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_cinder_backup.volumes }}{{ toYaml $mounts_cinder_backup.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/deployment-scheduler.yaml b/charts/cinder/templates/deployment-scheduler.yaml
new file mode 100644
index 0000000..59c3597
--- /dev/null
+++ b/charts/cinder/templates/deployment-scheduler.yaml
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_scheduler }}
+{{- $envAll := . }}
+
+{{- $mounts_cinder_scheduler := .Values.pod.mounts.cinder_scheduler.cinder_scheduler }}
+{{- $mounts_cinder_scheduler_init := .Values.pod.mounts.cinder_scheduler.init_container }}
+
+{{- $serviceAccountName := "cinder-scheduler" }}
+{{ tuple $envAll "scheduler" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: cinder-scheduler
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.scheduler }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "cinder-scheduler" "containerNames" (list "cinder-scheduler" "ceph-coordination-volume-perms" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder_scheduler" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.scheduler.node_selector_key }}: {{ .Values.labels.scheduler.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "scheduler" $mounts_cinder_scheduler_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+ - name: ceph-coordination-volume-perms
+{{ tuple $envAll "cinder_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_scheduler" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - chown
+ - -R
+ - "cinder:"
+ - {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-coordination
+ mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+ {{ end }}
+ containers:
+ - name: cinder-scheduler
+{{ tuple $envAll "cinder_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_scheduler" "container" "cinder_scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/cinder-scheduler.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-bin
+ mountPath: /tmp/cinder-scheduler.sh
+ subPath: cinder-scheduler.sh
+ readOnly: true
+ - name: cinder-etc
+ mountPath: /etc/cinder/cinder.conf
+ subPath: cinder.conf
+ readOnly: true
+ {{- if .Values.conf.cinder.DEFAULT.log_config_append }}
+ - name: cinder-etc
+ mountPath: {{ .Values.conf.cinder.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.cinder.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: cinder-etc
+ mountPath: /etc/cinder/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: cinder-etc
+ mountPath: /etc/cinder/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+ - name: cinder-coordination
+ mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+ {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_cinder_scheduler.volumeMounts }}{{ toYaml $mounts_cinder_scheduler.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: cinder-bin
+ configMap:
+ name: cinder-bin
+ defaultMode: 0555
+ - name: cinder-etc
+ secret:
+ secretName: cinder-etc
+ defaultMode: 0444
+ {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+ # NOTE (portdirect): this will need to be set to a shared mount amongst all cinder
+ # pods for the coordination backend to be fully functional.
+ - name: cinder-coordination
+ emptyDir: {}
+ {{- end }}
+ {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_cinder_scheduler.volumes }}{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/deployment-volume.yaml b/charts/cinder/templates/deployment-volume.yaml
new file mode 100644
index 0000000..135672a
--- /dev/null
+++ b/charts/cinder/templates/deployment-volume.yaml
@@ -0,0 +1,339 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_volume }}
+{{- $envAll := . }}
+
+{{- $internal_ceph_backend := .Values.ceph_client.internal_ceph_backend }}
+
+{{- $mounts_cinder_volume := .Values.pod.mounts.cinder_volume.cinder_volume }}
+{{- $mounts_cinder_volume_init := .Values.pod.mounts.cinder_volume.init_container }}
+
+{{- $serviceAccountName := "cinder-volume" }}
+{{ tuple $envAll "volume" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: cinder-volume
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.volume }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "cinder-volume" "containerNames" (list "cinder-volume" "ceph-coordination-volume-perms" "init-cinder-conf" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.volume.node_selector_key }}: {{ .Values.labels.volume.node_selector_value }}
+{{- if .Values.pod.useHostNetwork.volume }}
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+{{- if .Values.conf.enable_iscsi }}
+ hostIPC: true
+{{- end }}
+ initContainers:
+{{ tuple $envAll "volume" $mounts_cinder_volume_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ {{- range $name := rest (splitList "," (include "cinder.utils.ceph_backend_list" $envAll)) }}
+ {{- $backend := index $envAll.Values.conf.backends $name }}
+ {{- if eq $internal_ceph_backend $name }}
+ - name: ceph-keyring-placement-{{$name}}
+{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_volume" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/ceph-keyring.sh
+ env:
+ - name: RBD_USER
+ value: {{ $backend.rbd_user | quote }}
+{{- if and $envAll.Values.ceph_client.enable_external_ceph_backend $envAll.Values.ceph_client.external_ceph.rbd_user }}
+ - name: EXTERNAL_RBD_USER
+ value: {{ $envAll.Values.ceph_client.external_ceph.rbd_user | quote }}
+{{- end }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: cinder-bin
+ mountPath: /tmp/ceph-keyring.sh
+ subPath: ceph-keyring.sh
+ readOnly: true
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{- if and $envAll.Values.ceph_client.enable_external_ceph_backend $envAll.Values.ceph_client.external_ceph.rbd_user }}
+ - name: external-ceph-keyring
+ mountPath: /tmp/external-ceph-client-keyring
+ subPath: key
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+ - name: ceph-coordination-volume-perms
+{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_volume" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - chown
+ - -R
+ - "cinder:"
+ - {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-coordination
+ mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+ {{ end }}
+ - name: init-cinder-conf
+{{ dict "envAll" $envAll "application" "cinder_volume" "container" "init_cinder_conf" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ image: {{ .Values.images.tags.ks_user }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+ command:
+ - /tmp/retrieve-internal-tenant.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-bin
+ mountPath: /tmp/retrieve-internal-tenant.sh
+ subPath: retrieve-internal-tenant.sh
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: INTERNAL_PROJECT_NAME
+ value: {{ .Values.conf.cinder.DEFAULT.internal_project_name | quote }}
+ - name: INTERNAL_USER_NAME
+ value: {{ .Values.conf.cinder.DEFAULT.internal_user_name | quote }}
+{{- with $env := dict "ksUserSecret" (index .Values.secrets.identity "cinder" ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ containers:
+ - name: cinder-volume
+{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.volume | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cinder_volume" "container" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/cinder-volume.sh
+ terminationMessagePath: /var/log/termination-log
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-bin
+ mountPath: /tmp/cinder-volume.sh
+ subPath: cinder-volume.sh
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: cinder-conversion
+ mountPath: /var/lib/cinder/conversion
+ - name: cinder-etc
+ mountPath: /etc/cinder/cinder.conf
+ subPath: cinder.conf
+ readOnly: true
+ {{- if .Values.conf.cinder.DEFAULT.log_config_append }}
+ - name: cinder-etc
+ mountPath: {{ .Values.conf.cinder.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.cinder.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: cinder-etc
+ mountPath: /etc/cinder/conf/backends.conf
+ subPath: backends.conf
+ readOnly: true
+ {{- if eq "true" (include "cinder.utils.has_ceph_backend" $envAll) }}
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{- if .Values.ceph_client.enable_external_ceph_backend }}
+ - name: cinder-etc
+ mountPath: /etc/ceph/external-ceph.conf
+ subPath: external-ceph.conf
+ readOnly: true
+ {{- if .Values.ceph_client.external_ceph.rbd_user }}
+ - name: external-ceph-keyring
+ mountPath: /tmp/external-ceph-client-keyring
+ subPath: key
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+ - name: cinder-coordination
+ mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
+ {{- end }}
+ - name: cinder-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_cinder_sudoers
+ subPath: cinder_sudoers
+ readOnly: true
+ - name: cinder-etc
+ mountPath: /etc/sudoers.d/kolla_cinder_volume_sudoers
+ subPath: cinder_sudoers
+ readOnly: true
+ - name: cinder-etc
+ mountPath: /etc/cinder/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "volume" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/cinder/rootwrap.d/%s.filters" $filePrefix }}
+ - name: cinder-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ {{- if .Values.conf.enable_iscsi }}
+ - name: host-rootfs
+ mountPath: /mnt/host-rootfs
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: HostToContainer
+ {{- end }}
+ - name: host-dev
+ mountPath: /dev
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: HostToContainer
+ {{- end }}
+ - name: runlock
+ mountPath: /run/lock
+ - name: etciscsi
+ mountPath: /etc/iscsi
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: HostToContainer
+ {{- end }}
+ - name: usrlocalsbin
+ mountPath: /usr/local/sbin
+ - name: cinder-bin
+ mountPath: /usr/local/sbin/iscsiadm
+ subPath: iscsiadm
+ - name: cinder-bin
+ mountPath: /usr/local/sbin/multipath
+ subPath: multipath
+ - name: cinder-bin
+ mountPath: /usr/local/sbin/multipathd
+ subPath: multipathd
+ - name: etcmultipath
+ mountPath: /etc/multipath
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: Bidirectional
+ {{- end }}
+ - name: sys
+ mountPath: /sys
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: HostToContainer
+ {{- end }}
+ {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: cinder-bin
+ configMap:
+ name: cinder-bin
+ defaultMode: 0555
+ - name: cinder-etc
+ secret:
+ secretName: cinder-etc
+ defaultMode: 0444
+ - name: pod-shared
+ emptyDir: {}
+ - name: cinder-conversion
+ emptyDir: {}
+ {{- if eq "true" (include "cinder.utils.has_ceph_backend" $envAll) }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ .Values.ceph_client.configmap }}
+ defaultMode: 0444
+ - name: ceph-keyring
+ secret:
+ secretName: {{ .Values.secrets.rbd.volume | quote }}
+ {{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.rbd_user }}
+ - name: external-ceph-keyring
+ secret:
+ secretName: {{ .Values.secrets.rbd.volume_external | quote }}
+ {{ end }}
+ {{ end }}
+ {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
+ # NOTE (portdirect): this will need to be set to a shared mount amongst all cinder
+ # pods for the coordination backend to be fully functional.
+ - name: cinder-coordination
+ emptyDir: {}
+ {{- end }}
+ {{- if .Values.conf.enable_iscsi }}
+ - name: host-rootfs
+ hostPath:
+ path: /
+ - name: host-dev
+ hostPath:
+ path: /dev
+ - name: runlock
+ hostPath:
+ path: /run/lock
+ - name: etciscsi
+ hostPath:
+ path: /etc/iscsi
+ - name: usrlocalsbin
+ emptyDir: {}
+ - name: etcmultipath
+ hostPath:
+ path: /etc/multipath
+ - name: sys
+ hostPath:
+ path: /sys
+ {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/ingress-api.yaml b/charts/cinder/templates/ingress-api.yaml
new file mode 100644
index 0000000..f5ab1ff
--- /dev/null
+++ b/charts/cinder/templates/ingress-api.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $envAll := . -}}
+{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "volumev3" "backendPort" "c-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.volumev3.api.internal -}}
+{{- if and .Values.manifests.certificates $secretName -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.volumev3.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-backup-storage-init.yaml b/charts/cinder/templates/job-backup-storage-init.yaml
new file mode 100644
index 0000000..8168b90
--- /dev/null
+++ b/charts/cinder/templates/job-backup-storage-init.yaml
@@ -0,0 +1,188 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_backup_storage_init }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "cinder-backup-storage-init" }}
+{{ tuple $envAll "backup_storage_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - create
+ - update
+ - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: cinder-backup-storage-init
+ labels:
+{{ tuple $envAll "cinder" "backup-storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "cinder" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ dict "envAll" $envAll "podName" "cinder-backup-storage-init" "containerNames" (list "cinder-backup-storage-init" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "storage_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "backup_storage_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+ - name: ceph-keyring-placement
+{{ tuple $envAll "cinder_backup_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "storage_init" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ {{- if not .Values.backup.external_ceph_rbd.enabled }}
+ - name: cinder-bin
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- else }}
+ - name: cinder-bin
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: external-ceph-rbd-admin-keyring.sh
+ readOnly: true
+ {{ end }}
+ {{- if empty .Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ {{ end }}
+ containers:
+ - name: cinder-backup-storage-init
+{{ tuple $envAll "cinder_backup_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.backup_storage_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "storage_init" "container" "cinder_backup_storage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: STORAGE_BACKEND
+ value: {{ .Values.conf.cinder.DEFAULT.backup_driver | quote }}
+ {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+ - name: RBD_POOL_NAME
+ value: {{ .Values.conf.cinder.DEFAULT.backup_ceph_pool | quote }}
+ - name: RBD_POOL_APP_NAME
+ value: {{ .Values.conf.ceph.pools.backup.app_name | quote }}
+ - name: RBD_POOL_USER
+ value: {{ .Values.conf.cinder.DEFAULT.backup_ceph_user | quote }}
+ - name: RBD_POOL_CRUSH_RULE
+ value: {{ .Values.conf.ceph.pools.backup.crush_rule | quote }}
+ - name: RBD_POOL_REPLICATION
+ value: {{ .Values.conf.ceph.pools.backup.replication | quote }}
+ - name: RBD_POOL_CHUNK_SIZE
+ value: {{ .Values.conf.ceph.pools.backup.chunk_size | quote }}
+ - name: RBD_POOL_SECRET
+ value: {{ .Values.secrets.rbd.backup | quote }}
+ {{ end }}
+ command:
+ - /tmp/backup-storage-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-bin
+ mountPath: /tmp/backup-storage-init.sh
+ subPath: backup-storage-init.sh
+ readOnly: true
+ {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+ - name: etcceph
+ mountPath: /etc/ceph
+ {{- if not .Values.backup.external_ceph_rbd.enabled }}
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- else }}
+ - name: cinder-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: external-backup-ceph.conf
+ readOnly: true
+ {{- end }}
+ {{- if empty .Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: cinder-bin
+ configMap:
+ name: cinder-bin
+ defaultMode: 0555
+ {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ .Values.ceph_client.configmap }}
+ defaultMode: 0444
+ {{- if .Values.backup.external_ceph_rbd.enabled }}
+ - name: cinder-etc
+ secret:
+ secretName: cinder-etc
+ defaultMode: 0444
+ {{- end }}
+ {{- if empty .Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: {{ .Values.ceph_client.user_secret_name }}
+ {{ end }}
+ {{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/job-bootstrap.yaml b/charts/cinder/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..0db5409
--- /dev/null
+++ b/charts/cinder/templates/job-bootstrap.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-clean.yaml b/charts/cinder/templates/job-clean.yaml
new file mode 100644
index 0000000..d4efac5
--- /dev/null
+++ b/charts/cinder/templates/job-clean.yaml
@@ -0,0 +1,126 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_clean }}
+{{- $envAll := . }}
+{{ if or (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) (eq "true" (include "cinder.utils.has_ceph_backend" $envAll)) }}
+
+{{- $serviceAccountName := print "cinder-clean" }}
+{{ tuple $envAll "clean" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ print "cinder-clean" }}
+ labels:
+{{ tuple $envAll "cinder" "clean" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "cinder" "clean" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "clean" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "clean" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ {{- if eq "true" (include "cinder.utils.has_ceph_backend" $envAll) }}
+ - name: cinder-volume-rbd-secret-clean
+{{ tuple $envAll "cinder_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.clean | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "clean" "container" "cinder_volume_rbd_secret_clean" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: RBD_POOL_SECRET
+ value: {{ .Values.secrets.rbd.volume | quote }}
+ command:
+ - /tmp/clean-secrets.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-bin
+ mountPath: /tmp/clean-secrets.sh
+ subPath: clean-secrets.sh
+ readOnly: true
+ {{ end }}
+ {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
+ - name: cinder-volume-backup-secret-clean
+{{ tuple $envAll "cinder_backup_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.clean | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: RBD_POOL_SECRET
+ value: {{ .Values.secrets.rbd.backup | quote }}
+ command:
+ - /tmp/clean-secrets.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-bin
+ mountPath: /tmp/clean-secrets.sh
+ subPath: clean-secrets.sh
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: cinder-bin
+ configMap:
+ name: cinder-bin
+ defaultMode: 0555
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/templates/job-create-internal-tenant.yaml b/charts/cinder/templates/job-create-internal-tenant.yaml
new file mode 100644
index 0000000..b298e36
--- /dev/null
+++ b/charts/cinder/templates/job-create-internal-tenant.yaml
@@ -0,0 +1,101 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_create_internal_tenant }}
+{{- $envAll := . }}
+
+{{- $serviceName := "cinder" }}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "create-internal-tenant" }}
+{{ tuple $envAll "create_internal_tenant" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "create-internal-tenant" | quote }}
+{{- if .Values.helm3_hook }}
+ annotations:
+ "helm.sh/hook": post-install,post-upgrade
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}
+ labels:
+{{ tuple $envAll "cinder" "create-internal-tenant" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "create-internal-tenant" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "create-internal-tenant" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "create_internal_tenant" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "create_internal_tenant" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: create-internal-tenant
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "create_internal_tenant" "container" "create_internal_tenant" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/create-internal-tenant.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-internal-tenant-sh
+ mountPath: /tmp/create-internal-tenant.sh
+ subPath: create-internal-tenant.sh
+ readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+ - name: INTERNAL_PROJECT_NAME
+ value: {{ .Values.conf.cinder.DEFAULT.internal_project_name | quote }}
+ - name: INTERNAL_USER_NAME
+ value: {{ .Values.conf.cinder.DEFAULT.internal_user_name | quote }}
+
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-internal-tenant-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/cinder/templates/job-db-drop.yaml b/charts/cinder/templates/job-db-drop.yaml
new file mode 100644
index 0000000..1115af5
--- /dev/null
+++ b/charts/cinder/templates/job-db-drop.yaml
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "cinder" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-db-init.yaml b/charts/cinder/templates/job-db-init.yaml
new file mode 100644
index 0000000..c7e450a
--- /dev/null
+++ b/charts/cinder/templates/job-db-init.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "cinder" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-db-sync.yaml b/charts/cinder/templates/job-db-sync.yaml
new file mode 100644
index 0000000..1bab87b
--- /dev/null
+++ b/charts/cinder/templates/job-db-sync.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "cinder" "podVolMounts" .Values.pod.mounts.cinder_db_sync.cinder_db_sync.volumeMounts "podVols" .Values.pod.mounts.cinder_db_sync.cinder_db_sync.volumes -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-image-repo-sync.yaml b/charts/cinder/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..2d1f1f7
--- /dev/null
+++ b/charts/cinder/templates/job-image-repo-sync.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "cinder" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-ks-endpoints.yaml b/charts/cinder/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..6b0493d
--- /dev/null
+++ b/charts/cinder/templates/job-ks-endpoints.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volumev3" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-ks-service.yaml b/charts/cinder/templates/job-ks-service.yaml
new file mode 100644
index 0000000..3299506
--- /dev/null
+++ b/charts/cinder/templates/job-ks-service.yaml
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $serviceTypes := list }}
+{{- range $_, $v := keys .Values.endpoints | sortAlpha }}
+{{- if $v | hasPrefix "volume" }}
+{{- $serviceTypes = append $serviceTypes $v }}
+{{- end }}
+{{- end }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" $serviceTypes -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-ks-user.yaml b/charts/cinder/templates/job-ks-user.yaml
new file mode 100644
index 0000000..4cd671d
--- /dev/null
+++ b/charts/cinder/templates/job-ks-user.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-rabbit-init.yaml b/charts/cinder/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..43d2392
--- /dev/null
+++ b/charts/cinder/templates/job-rabbit-init.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "cinder" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.cinder.enabled -}}
+{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/cinder/templates/job-storage-init.yaml b/charts/cinder/templates/job-storage-init.yaml
new file mode 100644
index 0000000..0f06c22
--- /dev/null
+++ b/charts/cinder/templates/job-storage-init.yaml
@@ -0,0 +1,168 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_storage_init }}
+{{- $envAll := . }}
+
+{{- $internal_ceph_backend := .Values.ceph_client.internal_ceph_backend }}
+
+{{- $serviceAccountName := "cinder-storage-init" }}
+{{ tuple $envAll "storage_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - create
+ - update
+ - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: cinder-storage-init
+ labels:
+{{ tuple $envAll "cinder" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "cinder" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "storage_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ {{- if eq "true" (include "cinder.utils.has_ceph_backend" $envAll) }}
+ - name: ceph-keyring-placement
+{{ tuple $envAll "cinder_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+ securityContext:
+ runAsUser: 0
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: cinder-bin
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty .Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ {{ end }}
+ containers:
+ {{- range $name, $backend := .Values.conf.backends }}
+ {{- if (eq "true" ( dict "backend" $backend | include "cinder.utils.is_ceph_backend" )) }}
+ {{- if eq $internal_ceph_backend $name }}
+ - name: cinder-storage-init-{{$name}}
+{{ tuple $envAll "cinder_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.storage_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: STORAGE_BACKEND
+ value: {{ $backend.volume_driver | quote }}
+ - name: RBD_POOL_NAME
+ value: {{ $backend.rbd_pool | quote }}
+ - name: RBD_POOL_APP_NAME
+ value: {{ (index $envAll.Values.conf.ceph.pools $backend.rbd_pool).app_name | quote }}
+ - name: RBD_POOL_USER
+ value: {{ $backend.rbd_user | quote }}
+ - name: RBD_POOL_CRUSH_RULE
+ value: {{ (index $envAll.Values.conf.ceph.pools $backend.rbd_pool).crush_rule | quote }}
+ - name: RBD_POOL_REPLICATION
+ value: {{ (index $envAll.Values.conf.ceph.pools $backend.rbd_pool).replication | quote }}
+ - name: RBD_POOL_CHUNK_SIZE
+ value: {{ (index $envAll.Values.conf.ceph.pools $backend.rbd_pool).chunk_size | quote }}
+ - name: RBD_POOL_SECRET
+ value: {{ $envAll.Values.secrets.rbd.volume | quote }}
+ command:
+ - /tmp/storage-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-bin
+ mountPath: /tmp/storage-init.sh
+ subPath: storage-init.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: cinder-bin
+ configMap:
+ name: cinder-bin
+ defaultMode: 0555
+ {{- if eq "true" (include "cinder.utils.has_ceph_backend" $envAll) }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ .Values.ceph_client.configmap }}
+ defaultMode: 0444
+ {{- if empty .Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: {{ .Values.ceph_client.user_secret_name }}
+ {{- end }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cinder/templates/network_policy.yaml b/charts/cinder/templates/network_policy.yaml
new file mode 100644
index 0000000..ba9a8bd
--- /dev/null
+++ b/charts/cinder/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "cinder" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/cinder/templates/pdb-api.yaml b/charts/cinder/templates/pdb-api.yaml
new file mode 100644
index 0000000..a6e8d16
--- /dev/null
+++ b/charts/cinder/templates/pdb-api.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: cinder-api
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/cinder/templates/pod-rally-test.yaml b/charts/cinder/templates/pod-rally-test.yaml
new file mode 100644
index 0000000..34316c6
--- /dev/null
+++ b/charts/cinder/templates/pod-rally-test.yaml
@@ -0,0 +1,113 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_rally_test }}
+{{- $envAll := . }}
+
+{{- $mounts_tests := .Values.pod.mounts.cinder_tests.cinder_tests }}
+{{- $mounts_tests_init := .Values.pod.mounts.cinder_tests.init_container }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ print $envAll.Release.Name "-test" }}
+ labels:
+{{ tuple $envAll "cinder" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ "helm.sh/hook": test-success
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "cinder-test" "containerNames" (list "init" "cinder-test" "cinder-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+ restartPolicy: Never
+{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
+{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+ serviceAccountName: {{ $serviceAccountName }}
+ initContainers:
+{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+ - name: cinder-test-ks-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+ command:
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-bin
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: "test"
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: SERVICE_OS_ROLE
+ value: {{ .Values.endpoints.identity.auth.test.role | quote }}
+ containers:
+ - name: cinder-test
+{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: RALLY_ENV_NAME
+ value: {{.Release.Name}}
+ command:
+ - /tmp/rally-test.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cinder-etc
+ mountPath: /etc/rally/rally_tests.yaml
+ subPath: rally_tests.yaml
+ readOnly: true
+ - name: cinder-bin
+ mountPath: /tmp/rally-test.sh
+ subPath: rally-test.sh
+ readOnly: true
+ - name: rally-db
+ mountPath: /var/lib/rally
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: cinder-etc
+ secret:
+ secretName: cinder-etc
+ defaultMode: 0444
+ - name: cinder-bin
+ configMap:
+ name: cinder-bin
+ defaultMode: 0555
+ - name: rally-db
+ emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/pvc-backup.yaml b/charts/cinder/templates/pvc-backup.yaml
new file mode 100644
index 0000000..da6478a
--- /dev/null
+++ b/charts/cinder/templates/pvc-backup.yaml
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pvc_backup }}
+{{- $envAll := . }}
+{{- if (contains "cinder.backup.drivers.posix" .Values.conf.cinder.DEFAULT.backup_driver) }}
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: cinder-backup
+spec:
+ accessModes: [ "ReadWriteOnce" ]
+ resources:
+ requests:
+ storage: {{ .Values.backup.posix.volume.size }}
+ storageClassName: {{ .Values.backup.posix.volume.class_name }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/templates/secret-db.yaml b/charts/cinder/templates/secret-db.yaml
new file mode 100644
index 0000000..a5cee90
--- /dev/null
+++ b/charts/cinder/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "cinder" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+ DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+ DB_CONNECTION: {{ $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/templates/secret-external-ceph-keyring.yaml b/charts/cinder/templates/secret-external-ceph-keyring.yaml
new file mode 100644
index 0000000..9cdd4af
--- /dev/null
+++ b/charts/cinder/templates/secret-external-ceph-keyring.yaml
@@ -0,0 +1,20 @@
+{{/*
+This manifest results a secret being created which has the keyring information
+needed for cinder rbd user of external managed ceph backend
+*/}}
+
+{{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.rbd_user }}
+
+{{- $envAll := . }}
+{{- $userClass := "volume_external" }}
+{{- $secretName := index $envAll.Values.secrets.rbd $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ key: {{ $envAll.Values.ceph_client.external_ceph.rbd_user_keyring | b64enc }}
+...
+{{- end }}
diff --git a/charts/cinder/templates/secret-ingress-tls.yaml b/charts/cinder/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..f298d67
--- /dev/null
+++ b/charts/cinder/templates/secret-ingress-tls.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "volumev3" ) }}
+{{- end }}
diff --git a/charts/cinder/templates/secret-keystone.yaml b/charts/cinder/templates/secret-keystone.yaml
new file mode 100644
index 0000000..90be568
--- /dev/null
+++ b/charts/cinder/templates/secret-keystone.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "cinder" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/templates/secret-registry.yaml b/charts/cinder/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/cinder/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/cinder/templates/secret_rabbitmq.yaml b/charts/cinder/templates/secret_rabbitmq.yaml
new file mode 100644
index 0000000..2c4403e
--- /dev/null
+++ b/charts/cinder/templates/secret_rabbitmq.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- $rabbitmqProtocol := "http" }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- $rabbitmqProtocol = "https" }}
+{{- end }}
+{{- range $key1, $userClass := tuple "admin" "cinder" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/cinder/templates/service-api.yaml b/charts/cinder/templates/service-api.yaml
new file mode 100644
index 0000000..86d6b6f
--- /dev/null
+++ b/charts/cinder/templates/service-api.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "volumev3" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: c-api
+ port: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.api.node_port.enabled }}
+ nodePort: {{ .Values.network.api.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.api.node_port.enabled }}
+ type: NodePort
+ {{ if .Values.network.api.external_policy_local }}
+ externalTrafficPolicy: Local
+ {{ end }}
+ {{ end }}
+{{- end }}
diff --git a/charts/cinder/templates/service-ingress-api.yaml b/charts/cinder/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..ff0d27e
--- /dev/null
+++ b/charts/cinder/templates/service-ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "volumev3" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/cinder/templates/utils/_ceph_backend_list.tpl b/charts/cinder/templates/utils/_ceph_backend_list.tpl
new file mode 100644
index 0000000..f976127
--- /dev/null
+++ b/charts/cinder/templates/utils/_ceph_backend_list.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- /*
+ Return string with all ceph backends separated by comma. The list
+ is either empty or it starts with a comma. Assuming "a", "b" and
+ "c" are ceph backends then ceph_backend_list returns ",a,b,c".
+ This means the first element in the returned list representation
+ can always be skipped.
+
+ Usage:
+ range $name := rest (splitList include "cinder.utils.ceph_backend_list" $)
+*/ -}}
+{{- define "cinder.utils.ceph_backend_list" -}}
+ {{- range $name, $backend := .Values.conf.backends -}}
+ {{- if kindIs "map" $backend }}
+ {{- if (eq $backend.volume_driver "cinder.volume.drivers.rbd.RBDDriver") -}}
+ {{- "," -}}
+ {{- $name -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/cinder/templates/utils/_has_ceph_backend.tpl b/charts/cinder/templates/utils/_has_ceph_backend.tpl
new file mode 100644
index 0000000..bf975bb
--- /dev/null
+++ b/charts/cinder/templates/utils/_has_ceph_backend.tpl
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "cinder.utils.has_ceph_backend" -}}
+ {{- $has_ceph := false -}}
+ {{- range $_, $backend := .Values.conf.backends -}}
+ {{- if kindIs "map" $backend -}}
+ {{- $has_ceph = or $has_ceph (eq $backend.volume_driver "cinder.volume.drivers.rbd.RBDDriver") -}}
+ {{- end -}}
+ {{- end -}}
+ {{- $has_ceph -}}
+{{- end -}}
diff --git a/charts/cinder/templates/utils/_is_ceph_backend.tpl b/charts/cinder/templates/utils/_is_ceph_backend.tpl
new file mode 100644
index 0000000..3cba439
--- /dev/null
+++ b/charts/cinder/templates/utils/_is_ceph_backend.tpl
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "cinder.utils.is_ceph_backend" -}}
+{{- $backend := index . "backend" -}}
+{{- printf "%v" (and ( kindIs "map" $backend ) ( eq $backend.volume_driver "cinder.volume.drivers.rbd.RBDDriver" )) -}}
+{{- end -}}
diff --git a/charts/cinder/values.yaml b/charts/cinder/values.yaml
new file mode 100644
index 0000000..647a049
--- /dev/null
+++ b/charts/cinder/values.yaml
@@ -0,0 +1,1518 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for cinder.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+storage: ceph
+
+labels:
+ api:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ backup:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ job:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ scheduler:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ test:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ volume:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+release_group: null
+
+images:
+ tags:
+ test: docker.io/xrally/xrally-openstack:2.0.0
+ db_init: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+ cinder_db_sync: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+ db_drop: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+ rabbit_init: docker.io/rabbitmq:3.7-management
+ ks_user: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+ ks_service: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+ ks_endpoints: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+ cinder_api: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+ bootstrap: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+ cinder_scheduler: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+ cinder_volume: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+ cinder_volume_usage_audit: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+ cinder_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic
+ cinder_backup: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+ cinder_backup_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ image_repo_sync: docker.io/docker:17.07.0
+ pull_policy: "IfNotPresent"
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+jobs:
+ volume_usage_audit:
+ cron: "5 * * * *"
+ starting_deadline: 600
+ history:
+ success: 3
+ failed: 1
+
+pod:
+ security_context:
+ volume_usage_audit:
+ pod:
+ runAsUser: 42424
+ container:
+ cinder_volume_usage_audit:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ cinder_api:
+ pod:
+ runAsUser: 42424
+ container:
+ ceph_coordination_volume_perms:
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ cinder_api:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ cinder_backup:
+ pod:
+ runAsUser: 42424
+ container:
+ ceph_backup_keyring_placement:
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ ceph_keyring_placement:
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ ceph_backup_volume_perms:
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ ceph_coordination_volume_perms:
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ cinder_backup:
+ capabilities:
+ add:
+ - SYS_ADMIN
+ readOnlyRootFilesystem: true
+ runAsUser: 0
+ cinder_scheduler:
+ pod:
+ runAsUser: 42424
+ container:
+ ceph_coordination_volume_perms:
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ cinder_scheduler:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ cinder_volume:
+ pod:
+ runAsUser: 42424
+ container:
+ ceph_keyring_placement:
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ ceph_coordination_volume_perms:
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ init_cinder_conf:
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ cinder_volume:
+ readOnlyRootFilesystem: true
+ storage_init:
+ pod:
+ runAsUser: 42424
+ container:
+ ceph_keyring_placement:
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ cinder_backup_storage_init:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ clean:
+ pod:
+ runAsUser: 42424
+ container:
+ cinder_volume_rbd_secret_clean:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ create_internal_tenant:
+ pod:
+ runAsUser: 42424
+ container:
+ create_internal_tenant:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ weight:
+ default: 10
+ tolerations:
+ cinder:
+ enabled: false
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ effect: NoSchedule
+ useHostNetwork:
+ volume: false
+ backup: false
+ mounts:
+ cinder_api:
+ init_container: null
+ cinder_api:
+ volumeMounts:
+ volumes:
+ cinder_scheduler:
+ init_container: null
+ cinder_scheduler:
+ volumeMounts:
+ volumes:
+ cinder_volume:
+ init_container: null
+ cinder_volume:
+ volumeMounts:
+ volumes:
+ cinder_volume_usage_audit:
+ init_container: null
+ cinder_volume_usage_audit:
+ volumeMounts:
+ volumes:
+ cinder_backup:
+ init_container: null
+ cinder_backup:
+ volumeMounts:
+ volumes:
+ cinder_tests:
+ init_container: null
+ cinder_tests:
+ volumeMounts:
+ volumes:
+ cinder_db_sync:
+ cinder_db_sync:
+ volumeMounts:
+ volumes:
+ replicas:
+ api: 1
+ volume: 1
+ scheduler: 1
+ backup: 1
+ lifecycle:
+ upgrades:
+ deployments:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+ disruption_budget:
+ api:
+ min_available: 0
+ termination_grace_period:
+ api:
+ timeout: 30
+ resources:
+ enabled: false
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ scheduler:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ volume:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ volume_usage_audit:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ bootstrap:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ rabbit_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_drop:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ clean:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ backup_storage_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ storage_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_endpoints:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_service:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_user:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ tests:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+
+bootstrap:
+ enabled: true
+ ks_user: admin
+ bootstrap_conf_backends: true
+ volume_types:
+ name:
+ group:
+ volume_backend_name:
+ # access_type: "private"
+ # If you set up access_type to private, only the creator
+ # will get an access to the volume type. You can extend
+ # the access to your volume type by providing a list of
+ # domain names and projects as shown below
+ # grant_access:
+ # <domain name 1>:
+ # - <project name 1>
+ # - <project name 2>
+ # <...>
+ # <domain name 2>:
+ # - <project name 1>
+ # <...>
+ # Volume QoS if any. By default, None QoS is created.
+ # Below values with a number at the end need to be replaced
+ # with real names.
+ # volume_qos:
+ # qos_name_1:
+ # consumer: front-end
+ # properties:
+ # key_1: value_1
+ # key_2: value_2
+ # associates:
+ # - volume_type_1
+ # - volume_type_2
+
+network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ external_policy_local: false
+ node_port:
+ enabled: false
+ port: 30877
+
+ceph_client:
+ # enable this when there is a need to create second ceph backed pointing
+ # to external ceph cluster
+ enable_external_ceph_backend: false
+ # change this in case of first ceph backend name pointing to internal ceph cluster
+ # is diffrent
+ internal_ceph_backend: rbd1
+ configmap: ceph-etc
+ user_secret_name: pvc-ceph-client-key
+ external_ceph:
+ # Only when enable_external_ceph_backend is true and rbd_user is NOT null
+ # secret for external ceph keyring will be created.
+ rbd_user: null
+ rbd_user_keyring: null
+ conf:
+ global: null
+ osd: null
+conf:
+ paste:
+ composite:osapi_volume:
+ use: call:cinder.api:root_app_factory
+ /: apiversions
+ /v3: openstack_volume_api_v3
+ composite:openstack_volume_api_v3:
+ use: call:cinder.api.middleware.auth:pipeline_factory
+ noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
+ keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv3
+ keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv3
+ filter:request_id:
+ paste.filter_factory: oslo_middleware.request_id:RequestId.factory
+ filter:http_proxy_to_wsgi:
+ paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+ filter:cors:
+ paste.filter_factory: oslo_middleware.cors:filter_factory
+ oslo_config_project: cinder
+ filter:faultwrap:
+ paste.filter_factory: cinder.api.middleware.fault:FaultWrapper.factory
+ filter:osprofiler:
+ paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
+ filter:noauth:
+ paste.filter_factory: cinder.api.middleware.auth:NoAuthMiddleware.factory
+ filter:sizelimit:
+ paste.filter_factory: oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
+ app:apiv3:
+ paste.app_factory: cinder.api.v3.router:APIRouter.factory
+ pipeline:apiversions:
+ pipeline: cors http_proxy_to_wsgi faultwrap osvolumeversionapp
+ app:osvolumeversionapp:
+ paste.app_factory: cinder.api.versions:Versions.factory
+ filter:keystonecontext:
+ paste.filter_factory: cinder.api.middleware.auth:CinderKeystoneContext.factory
+ filter:authtoken:
+ paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+ filter:audit:
+ paste.filter_factory: keystonemiddleware.audit:filter_factory
+ audit_map_file: /etc/cinder/api_audit_map.conf
+ policy:
+ context_is_admin: role:admin
+ admin_or_owner: is_admin:True or project_id:%(project_id)s
+ default: rule:admin_or_owner
+ admin_api: is_admin:True
+ volume:create: ''
+ volume:delete: rule:admin_or_owner
+ volume:get: rule:admin_or_owner
+ volume:get_all: rule:admin_or_owner
+ volume:get_volume_metadata: rule:admin_or_owner
+ volume:create_volume_metadata: rule:admin_or_owner
+ volume:delete_volume_metadata: rule:admin_or_owner
+ volume:update_volume_metadata: rule:admin_or_owner
+ volume:get_volume_admin_metadata: rule:admin_api
+ volume:update_volume_admin_metadata: rule:admin_api
+ volume:get_snapshot: rule:admin_or_owner
+ volume:get_all_snapshots: rule:admin_or_owner
+ volume:create_snapshot: rule:admin_or_owner
+ volume:delete_snapshot: rule:admin_or_owner
+ volume:update_snapshot: rule:admin_or_owner
+ volume:get_snapshot_metadata: rule:admin_or_owner
+ volume:delete_snapshot_metadata: rule:admin_or_owner
+ volume:update_snapshot_metadata: rule:admin_or_owner
+ volume:extend: rule:admin_or_owner
+ volume:update_readonly_flag: rule:admin_or_owner
+ volume:retype: rule:admin_or_owner
+ volume:update: rule:admin_or_owner
+ volume_extension:types_manage: rule:admin_api
+ volume_extension:types_extra_specs: rule:admin_api
+ volume_extension:access_types_qos_specs_id: rule:admin_api
+ volume_extension:access_types_extra_specs: rule:admin_api
+ volume_extension:volume_type_access: rule:admin_or_owner
+ volume_extension:volume_type_access:addProjectAccess: rule:admin_api
+ volume_extension:volume_type_access:removeProjectAccess: rule:admin_api
+ volume_extension:volume_type_encryption: rule:admin_api
+ volume_extension:volume_encryption_metadata: rule:admin_or_owner
+ volume_extension:extended_snapshot_attributes: rule:admin_or_owner
+ volume_extension:volume_image_metadata: rule:admin_or_owner
+ volume_extension:quotas:show: ''
+ volume_extension:quotas:update: rule:admin_api
+ volume_extension:quotas:delete: rule:admin_api
+ volume_extension:quota_classes: rule:admin_api
+ volume_extension:quota_classes:validate_setup_for_nested_quota_use: rule:admin_api
+ volume_extension:volume_admin_actions:reset_status: rule:admin_api
+ volume_extension:snapshot_admin_actions:reset_status: rule:admin_api
+ volume_extension:backup_admin_actions:reset_status: rule:admin_api
+ volume_extension:volume_admin_actions:force_delete: rule:admin_api
+ volume_extension:volume_admin_actions:force_detach: rule:admin_api
+ volume_extension:snapshot_admin_actions:force_delete: rule:admin_api
+ volume_extension:backup_admin_actions:force_delete: rule:admin_api
+ volume_extension:volume_admin_actions:migrate_volume: rule:admin_api
+ volume_extension:volume_admin_actions:migrate_volume_completion: rule:admin_api
+ volume_extension:volume_actions:upload_public: rule:admin_api
+ volume_extension:volume_actions:upload_image: rule:admin_or_owner
+ volume_extension:volume_host_attribute: rule:admin_api
+ volume_extension:volume_tenant_attribute: rule:admin_or_owner
+ volume_extension:volume_mig_status_attribute: rule:admin_api
+ volume_extension:hosts: rule:admin_api
+ volume_extension:services:index: rule:admin_api
+ volume_extension:services:update: rule:admin_api
+ volume_extension:volume_manage: rule:admin_api
+ volume_extension:volume_unmanage: rule:admin_api
+ volume_extension:list_manageable: rule:admin_api
+ volume_extension:capabilities: rule:admin_api
+ volume:create_transfer: rule:admin_or_owner
+ volume:accept_transfer: ''
+ volume:delete_transfer: rule:admin_or_owner
+ volume:get_transfer: rule:admin_or_owner
+ volume:get_all_transfers: rule:admin_or_owner
+ volume_extension:replication:promote: rule:admin_api
+ volume_extension:replication:reenable: rule:admin_api
+ volume:failover_host: rule:admin_api
+ volume:freeze_host: rule:admin_api
+ volume:thaw_host: rule:admin_api
+ backup:create: ''
+ backup:delete: rule:admin_or_owner
+ backup:get: rule:admin_or_owner
+ backup:get_all: rule:admin_or_owner
+ backup:restore: rule:admin_or_owner
+ backup:backup-import: rule:admin_api
+ backup:backup-export: rule:admin_api
+ backup:update: rule:admin_or_owner
+ snapshot_extension:snapshot_actions:update_snapshot_status: ''
+ snapshot_extension:snapshot_manage: rule:admin_api
+ snapshot_extension:snapshot_unmanage: rule:admin_api
+ snapshot_extension:list_manageable: rule:admin_api
+ consistencygroup:create: group:nobody
+ consistencygroup:delete: group:nobody
+ consistencygroup:update: group:nobody
+ consistencygroup:get: group:nobody
+ consistencygroup:get_all: group:nobody
+ consistencygroup:create_cgsnapshot: group:nobody
+ consistencygroup:delete_cgsnapshot: group:nobody
+ consistencygroup:get_cgsnapshot: group:nobody
+ consistencygroup:get_all_cgsnapshots: group:nobody
+ group:group_types_manage: rule:admin_api
+ group:group_types_specs: rule:admin_api
+ group:access_group_types_specs: rule:admin_api
+ group:group_type_access: rule:admin_or_owner
+ group:create: ''
+ group:delete: rule:admin_or_owner
+ group:update: rule:admin_or_owner
+ group:get: rule:admin_or_owner
+ group:get_all: rule:admin_or_owner
+ group:create_group_snapshot: ''
+ group:delete_group_snapshot: rule:admin_or_owner
+ group:update_group_snapshot: rule:admin_or_owner
+ group:get_group_snapshot: rule:admin_or_owner
+ group:get_all_group_snapshots: rule:admin_or_owner
+ scheduler_extension:scheduler_stats:get_pools: rule:admin_api
+ message:delete: rule:admin_or_owner
+ message:get: rule:admin_or_owner
+ message:get_all: rule:admin_or_owner
+ clusters:get: rule:admin_api
+ clusters:get_all: rule:admin_api
+ clusters:update: rule:admin_api
+ api_audit_map:
+ DEFAULT:
+ target_endpoint_type: None
+ custom_actions:
+ associate: update/associate
+ disassociate: update/disassociate_all
+ disassociate_all: update/disassociate_all
+ associations: read/list/associations
+ path_keywords:
+ defaults: None
+ detail: None
+ limits: None
+ os-quota-specs: project
+ qos-specs: qos-spec
+ snapshots: snapshot
+ types: type
+ volumes: volume
+ service_endpoints:
+ volumev3: service/storage/block
+ cinder_sudoers: |
+ # This sudoers file supports rootwrap for both Kolla and LOCI Images.
+ Defaults !requiretty
+ Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
+ cinder ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *, /var/lib/openstack/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *
+ rootwrap: |
+ # Configuration for cinder-rootwrap
+ # This file should be owned by (and only-writeable by) the root user
+
+ [DEFAULT]
+ # List of directories to load filter definitions from (separated by ',').
+ # These directories MUST all be only writeable by root !
+ filters_path=/etc/cinder/rootwrap.d
+
+ # List of directories to search executables in, in case filters do not
+ # explicitely specify a full path (separated by ',')
+ # If not specified, defaults to system PATH environment variable.
+ # These directories MUST all be only writeable by root !
+ exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
+
+ # Enable logging to syslog
+ # Default value is False
+ use_syslog=False
+
+ # Which syslog facility to use.
+ # Valid values include auth, authpriv, syslog, local0, local1...
+ # Default value is 'syslog'
+ syslog_log_facility=syslog
+
+ # Which messages to log.
+ # INFO means log all usage
+ # ERROR means only log unsuccessful attempts
+ syslog_log_level=ERROR
+ rootwrap_filters:
+ volume:
+ pods:
+ - volume
+ content: |
+ # cinder-rootwrap command filters for volume nodes
+ # This file should be owned by (and only-writeable by) the root user
+
+ [Filters]
+ # cinder/volume/iscsi.py: iscsi_helper '--op' ...
+ ietadm: CommandFilter, ietadm, root
+ tgtadm: CommandFilter, tgtadm, root
+ iscsictl: CommandFilter, iscsictl, root
+ tgt-admin: CommandFilter, tgt-admin, root
+ cinder-rtstool: CommandFilter, cinder-rtstool, root
+ scstadmin: CommandFilter, scstadmin, root
+
+ # LVM related show commands
+ pvs: EnvFilter, env, root, LC_ALL=C, pvs
+ vgs: EnvFilter, env, root, LC_ALL=C, vgs
+ lvs: EnvFilter, env, root, LC_ALL=C, lvs
+ lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay
+
+ # -LVM related show commands with suppress fd warnings
+ pvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs
+ vgs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs
+ lvs_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs
+ lvdisplay_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay
+
+
+ # -LVM related show commands conf var
+ pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, pvs
+ vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, vgs
+ lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs
+ lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay
+
+ # -LVM conf var with suppress fd_warnings
+ pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, pvs
+ vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, vgs
+ lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvs
+ lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvdisplay
+
+ # os-brick library commands
+ # os_brick.privileged.run_as_root oslo.privsep context
+ # This line ties the superuser privs with the config files, context name,
+ # and (implicitly) the actual python code invoked.
+ privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
+ # The following and any cinder/brick/* entries should all be obsoleted
+ # by privsep, and may be removed once the os-brick version requirement
+ # is updated appropriately.
+ scsi_id: CommandFilter, /lib/udev/scsi_id, root
+ drbdadm: CommandFilter, drbdadm, root
+
+ # cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list
+ vgcreate: CommandFilter, vgcreate, root
+
+ # cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', sizestr, '-n', volume_name,..
+ # cinder/brick/local_dev/lvm.py: 'lvcreate', '-L', ...
+ lvcreate: EnvFilter, env, root, LC_ALL=C, lvcreate
+ lvcreate_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvcreate
+ lvcreate_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvcreate
+ lvcreate_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LVM_SUPPRESS_FD_WARNINGS=, LC_ALL=C, lvcreate
+
+ # cinder/volume/driver.py: 'dd', 'if=%s' % srcstr, 'of=%s' % deststr,...
+ dd: CommandFilter, dd, root
+
+ # cinder/volume/driver.py: 'lvremove', '-f', %s/%s % ...
+ lvremove: CommandFilter, lvremove, root
+
+ # cinder/volume/driver.py: 'lvrename', '%(vg)s', '%(orig)s' '(new)s'...
+ lvrename: CommandFilter, lvrename, root
+
+ # cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ...
+ # cinder/brick/local_dev/lvm.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ...
+ lvextend: EnvFilter, env, root, LC_ALL=C, lvextend
+ lvextend_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvextend
+ lvextend_fdwarn: EnvFilter, env, root, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend
+ lvextend_lvmconf_fdwarn: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, LVM_SUPPRESS_FD_WARNINGS=, lvextend
+
+ # cinder/brick/local_dev/lvm.py: 'lvchange -a y -K <lv>'
+ lvchange: CommandFilter, lvchange, root
+
+ # cinder/brick/local_dev/lvm.py: 'lvconvert', '--merge', snapshot_name
+ lvconvert: CommandFilter, lvconvert, root
+
+ # cinder/volume/driver.py: 'iscsiadm', '-m', 'discovery', '-t',...
+ # cinder/volume/driver.py: 'iscsiadm', '-m', 'node', '-T', ...
+ iscsiadm: CommandFilter, iscsiadm, root
+
+ # cinder/volume/utils.py: utils.temporary_chown(path, 0)
+ chown: CommandFilter, chown, root
+
+ # cinder/volume/utils.py: copy_volume(..., ionice='...')
+ ionice_1: ChainingRegExpFilter, ionice, root, ionice, -c[0-3], -n[0-7]
+ ionice_2: ChainingRegExpFilter, ionice, root, ionice, -c[0-3]
+
+ # cinder/volume/utils.py: setup_blkio_cgroup()
+ cgcreate: CommandFilter, cgcreate, root
+ cgset: CommandFilter, cgset, root
+ cgexec: ChainingRegExpFilter, cgexec, root, cgexec, -g, blkio:\S+
+
+ # cinder/volume/driver.py
+ dmsetup: CommandFilter, dmsetup, root
+ ln: CommandFilter, ln, root
+
+ # cinder/image/image_utils.py
+ qemu-img: EnvFilter, env, root, LC_ALL=C, qemu-img
+ qemu-img_convert: CommandFilter, qemu-img, root
+
+ udevadm: CommandFilter, udevadm, root
+
+ # cinder/volume/driver.py: utils.read_file_as_root()
+ cat: CommandFilter, cat, root
+
+ # cinder/volume/nfs.py
+ stat: CommandFilter, stat, root
+ mount: CommandFilter, mount, root
+ df: CommandFilter, df, root
+ du: CommandFilter, du, root
+ truncate: CommandFilter, truncate, root
+ chmod: CommandFilter, chmod, root
+ rm: CommandFilter, rm, root
+
+ # cinder/volume/drivers/remotefs.py
+ mkdir: CommandFilter, mkdir, root
+
+ # cinder/volume/drivers/netapp/nfs.py:
+ netapp_nfs_find: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -name, img-cache.*, -amin, \+\d+
+
+ # cinder/volume/drivers/glusterfs.py
+ chgrp: CommandFilter, chgrp, root
+ umount: CommandFilter, umount, root
+ fallocate: CommandFilter, fallocate, root
+
+ # cinder/volumes/drivers/hds/hds.py:
+ hus-cmd: CommandFilter, hus-cmd, root
+ hus-cmd_local: CommandFilter, /usr/local/bin/hus-cmd, root
+
+ # cinder/volumes/drivers/hds/hnas_backend.py
+ ssc: CommandFilter, ssc, root
+
+ # cinder/brick/initiator/connector.py:
+ ls: CommandFilter, ls, root
+ tee: CommandFilter, tee, root
+ multipath: CommandFilter, multipath, root
+ multipathd: CommandFilter, multipathd, root
+ systool: CommandFilter, systool, root
+
+ # cinder/volume/drivers/block_device.py
+ blockdev: CommandFilter, blockdev, root
+
+ # cinder/volume/drivers/ibm/gpfs.py
+ # cinder/volume/drivers/tintri.py
+ mv: CommandFilter, mv, root
+
+ # cinder/volume/drivers/ibm/gpfs.py
+ cp: CommandFilter, cp, root
+ mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root
+ mmclone: CommandFilter, /usr/lpp/mmfs/bin/mmclone, root
+ mmlsattr: CommandFilter, /usr/lpp/mmfs/bin/mmlsattr, root
+ mmchattr: CommandFilter, /usr/lpp/mmfs/bin/mmchattr, root
+ mmlsconfig: CommandFilter, /usr/lpp/mmfs/bin/mmlsconfig, root
+ mmlsfs: CommandFilter, /usr/lpp/mmfs/bin/mmlsfs, root
+ mmlspool: CommandFilter, /usr/lpp/mmfs/bin/mmlspool, root
+ mkfs: CommandFilter, mkfs, root
+ mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root
+ mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root
+ mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root
+ mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root
+ mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root
+ mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root
+
+ # cinder/volume/drivers/ibm/gpfs.py
+ # cinder/volume/drivers/ibm/ibmnas.py
+ find_maxdepth_inum: RegExpFilter, find, root, find, ^[/]*([^/\0]+(/+)?)*$, -maxdepth, \d+, -ignore_readdir_race, -inum, \d+, -print0, -quit
+
+ # cinder/brick/initiator/connector.py:
+ aoe-revalidate: CommandFilter, aoe-revalidate, root
+ aoe-discover: CommandFilter, aoe-discover, root
+ aoe-flush: CommandFilter, aoe-flush, root
+
+ # cinder/brick/initiator/linuxscsi.py:
+ sg_scan: CommandFilter, sg_scan, root
+
+ #cinder/backup/services/tsm.py
+ dsmc:CommandFilter,/usr/bin/dsmc,root
+
+ # cinder/volume/drivers/hitachi/hbsd_horcm.py
+ raidqry: CommandFilter, raidqry, root
+ raidcom: CommandFilter, raidcom, root
+ pairsplit: CommandFilter, pairsplit, root
+ paircreate: CommandFilter, paircreate, root
+ pairdisplay: CommandFilter, pairdisplay, root
+ pairevtwait: CommandFilter, pairevtwait, root
+ horcmstart.sh: CommandFilter, horcmstart.sh, root
+ horcmshutdown.sh: CommandFilter, horcmshutdown.sh, root
+ horcmgr: EnvFilter, env, root, HORCMINST=, /etc/horcmgr
+
+ # cinder/volume/drivers/hitachi/hbsd_snm2.py
+ auman: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auman
+ auluref: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluref
+ auhgdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgdef
+ aufibre1: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aufibre1
+ auhgwwn: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgwwn
+ auhgmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auhgmap
+ autargetmap: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetmap
+ aureplicationvvol: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationvvol
+ auluadd: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluadd
+ auludel: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auludel
+ auluchgsize: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auluchgsize
+ auchapuser: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auchapuser
+ autargetdef: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetdef
+ autargetopt: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetopt
+ autargetini: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/autargetini
+ auiscsi: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/auiscsi
+ audppool: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/audppool
+ aureplicationlocal: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationlocal
+ aureplicationmon: EnvFilter, env, root, LANG=, STONAVM_HOME=, LD_LIBRARY_PATH=, STONAVM_RSP_PASS=, STONAVM_ACT=, /usr/stonavm/aureplicationmon
+
+ # cinder/volume/drivers/hgst.py
+ vgc-cluster: CommandFilter, vgc-cluster, root
+
+ # cinder/volume/drivers/vzstorage.py
+ pstorage-mount: CommandFilter, pstorage-mount, root
+ pstorage: CommandFilter, pstorage, root
+ ploop: CommandFilter, ploop, root
+
+ # initiator/connector.py:
+ drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
+ ceph:
+ override:
+ append:
+ monitors: []
+ admin_keyring: null
+ pools:
+ backup:
+ replication: 3
+ crush_rule: replicated_rule
+ chunk_size: 8
+ app_name: cinder-backup
+ cinder.volumes:
+ replication: 3
+ crush_rule: replicated_rule
+ chunk_size: 8
+ app_name: cinder-volume
+ cinder:
+ DEFAULT:
+ volume_usage_audit_period: hour
+ resource_query_filters_file: /etc/cinder/resource_filters.json
+ log_config_append: /etc/cinder/logging.conf
+ use_syslog: false
+ use_stderr: true
+ enable_v1_api: false
+ volume_name_template: "%s"
+ osapi_volume_workers: 1
+ glance_api_version: 2
+ os_region_name: RegionOne
+ host: cinder-volume-worker
+ # NOTE(portdirect): the bind port should not be defined, and is manipulated
+ # via the endpoints section.
+ osapi_volume_listen_port: null
+ enabled_backends: "rbd1"
+ default_volume_type: "rbd1"
+ # NOTE(portdirect): "cinder.backup.drivers.ceph" and
+ # "cinder.backup.drivers.posix" also supported
+ # NOTE(rchurch): As of Stein, drivers by class name are required
+ # - cinder.backup.drivers.swift.SwiftBackupDriver
+ # - cinder.backup.drivers.ceph.CephBackupDriver
+ # - cinder.backup.drivers.posix.PosixBackupDriver
+ backup_driver: "cinder.backup.drivers.swift.SwiftBackupDriver"
+ # Backup: Ceph RBD options
+ backup_ceph_conf: "/etc/ceph/ceph.conf"
+ backup_ceph_user: cinderbackup
+ backup_ceph_pool: cinder.backups
+ # Backup: Posix options
+ backup_posix_path: /var/lib/cinder/backup
+ auth_strategy: keystone
+ # Internal tenant id
+ internal_project_name: internal_cinder
+ internal_user_name: internal_cinder
+ database:
+ max_retries: -1
+ keystone_authtoken:
+ auth_version: v3
+ auth_type: password
+ memcache_security_strategy: ENCRYPT
+ oslo_policy:
+ policy_file: /etc/cinder/policy.yaml
+ oslo_concurrency:
+ lock_path: "/var/lib/cinder/tmp"
+ oslo_messaging_notifications:
+ driver: messagingv2
+ oslo_middleware:
+ enable_proxy_headers_parsing: true
+ oslo_messaging_rabbit:
+ rabbit_ha_queues: true
+ coordination:
+ backend_url: file:///var/lib/cinder/coordination
+ service_user:
+ auth_type: password
+ send_service_user_token: false
+ logging:
+ loggers:
+ keys:
+ - root
+ - cinder
+ handlers:
+ keys:
+ - stdout
+ - stderr
+ - "null"
+ formatters:
+ keys:
+ - context
+ - default
+ logger_root:
+ level: WARNING
+ handlers: 'null'
+ logger_cinder:
+ level: INFO
+ handlers:
+ - stdout
+ qualname: cinder
+ logger_amqp:
+ level: WARNING
+ handlers: stderr
+ qualname: amqp
+ logger_amqplib:
+ level: WARNING
+ handlers: stderr
+ qualname: amqplib
+ logger_eventletwsgi:
+ level: WARNING
+ handlers: stderr
+ qualname: eventlet.wsgi.server
+ logger_sqlalchemy:
+ level: WARNING
+ handlers: stderr
+ qualname: sqlalchemy
+ logger_boto:
+ level: WARNING
+ handlers: stderr
+ qualname: boto
+ handler_null:
+ class: logging.NullHandler
+ formatter: default
+ args: ()
+ handler_stdout:
+ class: StreamHandler
+ args: (sys.stdout,)
+ formatter: context
+ handler_stderr:
+ class: StreamHandler
+ args: (sys.stderr,)
+ formatter: context
+ formatter_context:
+ class: oslo_log.formatters.ContextFormatter
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ formatter_default:
+ format: "%(message)s"
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ rabbitmq:
+ # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
+ policies:
+ - vhost: "cinder"
+ name: "ha_ttl_cinder"
+ definition:
+ # mirror messges to other nodes in rmq cluster
+ ha-mode: "all"
+ ha-sync-mode: "automatic"
+ # 70s
+ message-ttl: 70000
+ priority: 0
+ apply-to: all
+ pattern: '^(?!(amq\.|reply_)).*'
+
+ backends:
+ # Those options will be written to backends.conf as-is.
+ rbd1:
+ volume_driver: cinder.volume.drivers.rbd.RBDDriver
+ volume_backend_name: rbd1
+ rbd_pool: cinder.volumes
+ rbd_ceph_conf: "/etc/ceph/ceph.conf"
+ rbd_flatten_volume_from_snapshot: false
+ report_discard_supported: true
+ rbd_max_clone_depth: 5
+ rbd_store_chunk_size: 4
+ rados_connect_timeout: -1
+ rbd_user: cinder
+ rbd_secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
+ image_volume_cache_enabled: True
+ image_volume_cache_max_size_gb: 200
+ image_volume_cache_max_count: 50
+ rally_tests:
+ run_tempest: false
+ clean_up: |
+ VOLUMES=$(openstack volume list -f value | grep -e "^s_rally_" | awk '{ print $1 }')
+ if [ -n "$VOLUMES" ]; then
+ echo $VOLUMES | xargs openstack volume delete
+ fi
+ tests:
+ CinderVolumes.create_and_delete_volume:
+ - args:
+ size: 1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ - args:
+ size:
+ max: 5
+ min: 1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ resource_filters:
+ volume:
+ - name
+ - status
+ - metadata
+ - bootable
+ - migration_status
+ - availability_zone
+ - group_id
+ backup:
+ - name
+ - status
+ - volume_id
+ snapshot:
+ - name
+ - status
+ - volume_id
+ - metadata
+ - availability_zone
+ group: []
+ group_snapshot:
+ - status
+ - group_id
+ attachment:
+ - volume_id
+ - status
+ - instance_id
+ - attach_status
+ message:
+ - resource_uuid
+ - resource_type
+ - event_id
+ - request_id
+ - message_level
+ pool:
+ - name
+ - volume_type
+ volume_type: []
+ enable_iscsi: false
+backup:
+ external_ceph_rbd:
+ enabled: false
+ admin_keyring: null
+ conf:
+ global: null
+ osd: null
+ posix:
+ volume:
+ class_name: general
+ size: 10Gi
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - cinder-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ api:
+ jobs:
+ - cinder-db-sync
+ - cinder-ks-user
+ - cinder-ks-endpoints
+ - cinder-rabbit-init
+ - cinder-storage-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ backup:
+ jobs:
+ - cinder-db-sync
+ - cinder-ks-user
+ - cinder-ks-endpoints
+ - cinder-rabbit-init
+ - cinder-storage-init
+ - cinder-backup-storage-init
+ services:
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: volumev3
+ backup_storage_init:
+ jobs: null
+ bootstrap:
+ services:
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: volumev3
+ pod:
+ - requireSameNode: false
+ labels:
+ application: cinder
+ component: volume
+ clean:
+ jobs: null
+ db_drop:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_init:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_sync:
+ jobs:
+ - cinder-db-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ ks_endpoints:
+ jobs:
+ - cinder-ks-service
+ services:
+ - endpoint: internal
+ service: identity
+ ks_service:
+ services:
+ - endpoint: internal
+ service: identity
+ ks_user:
+ services:
+ - endpoint: internal
+ service: identity
+ rabbit_init:
+ services:
+ - service: oslo_messaging
+ endpoint: internal
+ scheduler:
+ jobs:
+ - cinder-db-sync
+ - cinder-ks-user
+ - cinder-ks-endpoints
+ - cinder-rabbit-init
+ - cinder-storage-init
+ services:
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: volumev3
+ storage_init:
+ jobs: null
+ tests:
+ services:
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: volumev3
+ volume:
+ jobs:
+ - cinder-db-sync
+ - cinder-ks-user
+ - cinder-ks-endpoints
+ - cinder-rabbit-init
+ - cinder-storage-init
+ services:
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: volumev3
+ volume_usage_audit:
+ jobs:
+ - cinder-db-sync
+ - cinder-ks-user
+ - cinder-ks-endpoints
+ - cinder-rabbit-init
+ - cinder-storage-init
+ services:
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: volumev3
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+ create_internal_tenant:
+ services:
+ - endpoint: internal
+ service: identity
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: cinder-keystone-admin
+ cinder: cinder-keystone-user
+ test: cinder-keystone-test
+ oslo_db:
+ admin: cinder-db-admin
+ cinder: cinder-db-user
+ rbd:
+ backup: cinder-backup-rbd-keyring
+ volume: cinder-volume-rbd-keyring
+ volume_external: cinder-volume-external-rbd-keyring
+ oslo_messaging:
+ admin: cinder-rabbitmq-admin
+ cinder: cinder-rabbitmq-user
+ tls:
+ volumev3:
+ api:
+ public: cinder-tls-public
+ internal: cinder-tls-api
+ oci_image_registry:
+ cinder: cinder-oci-image-registry
+
+# We use a different layout of the endpoints here to account for versioning
+# this swaps the service name and type, and should be rolled out to other
+# services.
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ oci_image_registry:
+ name: oci-image-registry
+ namespace: oci-image-registry
+ auth:
+ enabled: false
+ cinder:
+ username: cinder
+ password: password
+ hosts:
+ default: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ default: null
+ identity:
+ name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ cinder:
+ role: admin
+ region_name: RegionOne
+ username: cinder
+ password: password
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ test:
+ role: admin
+ region_name: RegionOne
+ username: cinder-test
+ password: password
+ project_name: test
+ user_domain_name: service
+ project_domain_name: service
+ hosts:
+ default: keystone
+ internal: keystone-api
+ host_fqdn_override:
+ default: null
+ path:
+ default: /v3
+ scheme:
+ default: http
+ port:
+ api:
+ default: 80
+ internal: 5000
+ image:
+ name: glance
+ hosts:
+ default: glance-api
+ public: glance
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme:
+ default: http
+ port:
+ api:
+ default: 9292
+ public: 80
+ volumev3:
+ name: cinder
+ hosts:
+ default: cinder-api
+ public: cinder
+ host_fqdn_override:
+ default: null
+ # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+ # endpoints using the following format:
+ # public:
+ # host: null
+ # tls:
+ # crt: null
+ # key: null
+ path:
+ default: '/v3/%(tenant_id)s'
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 8776
+ public: 80
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ secret:
+ tls:
+ internal: mariadb-tls-direct
+ cinder:
+ username: cinder
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ oslo_messaging:
+ auth:
+ admin:
+ username: rabbitmq
+ password: password
+ secret:
+ tls:
+ internal: rabbitmq-tls-direct
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ http:
+ default: 15672
+ oslo_cache:
+ auth:
+ # NOTE(portdirect): this is used to define the value for keystone
+ # authtoken cache encryption key, if not set it will be populated
+ # automatically with a random value, but to take advantage of
+ # this feature all services should be set to use the same key,
+ # and memcache service.
+ memcache_secret_key: null
+ hosts:
+ default: memcached
+ host_fqdn_override:
+ default: null
+ port:
+ memcache:
+ default: 11211
+ fluentd:
+ namespace: null
+ name: fluentd
+ hosts:
+ default: fluentd-logging
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: 'http'
+ port:
+ service:
+ default: 24224
+ metrics:
+ default: 24220
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns:
+ default: 53
+ protocol: UDP
+ ingress:
+ namespace: null
+ name: ingress
+ hosts:
+ default: ingress
+ port:
+ ingress:
+ default: 80
+
+network_policy:
+ cinder:
+ ingress:
+ - {}
+ egress:
+ - {}
+
+# NOTE(helm_hook): helm_hook might break for helm2 binary.
+# set helm3_hook: false when using the helm2 binary.
+helm3_hook: true
+
+manifests:
+ certificates: false
+ configmap_bin: true
+ configmap_etc: true
+ cron_volume_usage_audit: true
+ deployment_api: true
+ deployment_backup: true
+ deployment_scheduler: true
+ deployment_volume: true
+ ingress_api: true
+ job_backup_storage_init: true
+ job_bootstrap: true
+ job_clean: true
+ job_create_internal_tenant: true
+ job_db_init: true
+ job_image_repo_sync: true
+ job_rabbit_init: true
+ job_db_sync: true
+ job_db_drop: false
+ job_ks_endpoints: true
+ job_ks_service: true
+ job_ks_user: true
+ job_storage_init: true
+ pdb_api: true
+ pod_rally_test: true
+ pvc_backup: true
+ network_policy: false
+ secret_db: true
+ secret_ingress_tls: true
+ secret_keystone: true
+ secret_rabbitmq: true
+ secret_registry: true
+ service_api: true
+ service_ingress_api: true
+...
diff --git a/charts/designate/Chart.yaml b/charts/designate/Chart.yaml
new file mode 100644
index 0000000..3aeec68
--- /dev/null
+++ b/charts/designate/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Designate
+home: https://docs.openstack.org/designate/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Designate/OpenStack_Project_Designate_vertical.jpg
+maintainers:
+- name: OpenStack-Helm Authors
+name: designate
+sources:
+- https://opendev.org/openstack/designate
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.7
diff --git a/charts/designate/charts/helm-toolkit/Chart.yaml b/charts/designate/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..e79632a
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.49
diff --git a/charts/designate/charts/helm-toolkit/requirements.yaml b/charts/designate/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/designate/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..f05f7b7
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,729 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a authenticating a registry with a secret
+examples:
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/designate/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..3739f95
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+ delete user \
+ name="guest" || true
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..687851e
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,571 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# verify_databases_backup_archives [scope]
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to verify the database backup archives. If this function
+# completes successfully (returns 0), the
+# framework will automatically starts remote backup upload.
+#
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log_verify_backup_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ # rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ # Calculation remote file SHA256 hash
+ REMOTE_FILE=$(mktemp -p /tmp)
+ openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+ rm -rf ${REMOTE_FILE}
+ return 1
+ fi
+
+ # Remote backup verification
+ SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+ SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+ log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+ log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+ log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+ if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+ log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+ else
+ log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+ return 1
+ fi
+ rm -rf ${REMOTE_FILE}
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+ local A_FILE="$1"
+ awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f ${fd} ]]; then
+ rm -f ${fd}
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ fi
+ done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ # Local backup verification process
+
+ # It is expected that this function will verify the database backup files
+ if verify_databases_backup_archives ${SCOPE}; then
+ log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+ else
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ fi
+ log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+ exit 1
+ fi
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ # Remote backup
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ get_backup_prefix $(cat $DB_BACKUP_FILES)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+ remove_old_remote_archives
+ done
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
\ No newline at end of file
diff --git a/charts/designate/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/designate/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f8-
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+ - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/designate/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/designate/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_template.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/designate/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/designate/charts/helm-toolkit/values.yaml b/charts/designate/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/designate/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/designate/requirements.lock b/charts/designate/requirements.lock
new file mode 100644
index 0000000..b701966
--- /dev/null
+++ b/charts/designate/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: 0.2.49
+digest: sha256:17c2ccd48a8f79f15fc2fe5a59a1e0330cd6d0010ab5cc81a81575db31377a32
+generated: "2022-11-22T20:12:42.414567937Z"
diff --git a/charts/designate/requirements.yaml b/charts/designate/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/designate/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: ">= 0.1.0"
diff --git a/charts/designate/templates/bin/_bootstrap.sh.tpl b/charts/designate/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..42ddf64
--- /dev/null
+++ b/charts/designate/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/designate/templates/bin/_db-sync.sh.tpl b/charts/designate/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..dfa8bde
--- /dev/null
+++ b/charts/designate/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+designate-manage database sync
+
diff --git a/charts/designate/templates/bin/_designate-api.sh.tpl b/charts/designate/templates/bin/_designate-api.sh.tpl
new file mode 100644
index 0000000..c1dfa37
--- /dev/null
+++ b/charts/designate/templates/bin/_designate-api.sh.tpl
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ exec designate-api \
+ --config-file /etc/designate/designate.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/designate/templates/bin/_designate-central.sh.tpl b/charts/designate/templates/bin/_designate-central.sh.tpl
new file mode 100644
index 0000000..b684b46
--- /dev/null
+++ b/charts/designate/templates/bin/_designate-central.sh.tpl
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ exec designate-central \
+ --config-file /etc/designate/designate.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/designate/templates/bin/_designate-mdns.sh.tpl b/charts/designate/templates/bin/_designate-mdns.sh.tpl
new file mode 100644
index 0000000..6770894
--- /dev/null
+++ b/charts/designate/templates/bin/_designate-mdns.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ designate-mdns \
+ --config-file /etc/designate/designate.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/designate/templates/bin/_designate-producer.sh.tpl b/charts/designate/templates/bin/_designate-producer.sh.tpl
new file mode 100644
index 0000000..b2b9efc
--- /dev/null
+++ b/charts/designate/templates/bin/_designate-producer.sh.tpl
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ designate-producer --config-file /etc/designate/designate.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/designate/templates/bin/_designate-sink.sh.tpl b/charts/designate/templates/bin/_designate-sink.sh.tpl
new file mode 100644
index 0000000..d552f8b
--- /dev/null
+++ b/charts/designate/templates/bin/_designate-sink.sh.tpl
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+COMMAND="${@:-start}"
+ exec designate-sink \
+ --config-file /etc/designate/designate.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/designate/templates/bin/_designate-worker.sh.tpl b/charts/designate/templates/bin/_designate-worker.sh.tpl
new file mode 100644
index 0000000..38e8fad
--- /dev/null
+++ b/charts/designate/templates/bin/_designate-worker.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ designate-worker \
+ --config-file /etc/designate/designate.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/designate/templates/configmap-bin.yaml b/charts/designate/templates/configmap-bin.yaml
new file mode 100644
index 0000000..2d93be0
--- /dev/null
+++ b/charts/designate/templates/configmap-bin.yaml
@@ -0,0 +1,50 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.configmap_bin }}
+
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: designate-bin
+data:
+{{- if .Values.bootstrap.enabled }}
+ bootstrap.sh: |+
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+ ks-service.sh: |+
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+ ks-endpoints.sh: |+
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+ ks-user.sh: |+
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+ db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+ db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ designate-api.sh: |
+{{ tuple "bin/_designate-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ designate-central.sh: |
+{{ tuple "bin/_designate-central.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ designate-mdns.sh: |
+{{ tuple "bin/_designate-mdns.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ designate-worker.sh: |
+{{ tuple "bin/_designate-worker.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ designate-producer.sh: |
+{{ tuple "bin/_designate-producer.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ designate-sink.sh: |
+{{ tuple "bin/_designate-sink.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+
+{{- end }}
diff --git a/charts/designate/templates/configmap-etc.yaml b/charts/designate/templates/configmap-etc.yaml
new file mode 100644
index 0000000..dd1d4a2
--- /dev/null
+++ b/charts/designate/templates/configmap-etc.yaml
@@ -0,0 +1,81 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.configmap_etc }}
+
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.designate.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.designate.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "region_name" .Values.endpoints.identity.auth.designate.region_name -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "project_name" .Values.endpoints.identity.auth.designate.project_name -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.designate.project_domain_name -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.designate.user_domain_name -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "username" .Values.endpoints.identity.auth.designate.username -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "password" .Values.endpoints.identity.auth.designate.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.designate.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty (index .Values.conf.designate "storage:sqlalchemy").connection -}}
+{{- $_ := tuple "oslo_db" "internal" "designate" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set (index .Values.conf.designate "storage:sqlalchemy") "connection" -}}
+{{- $_ := tuple "oslo_db" "internal" "designate" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.designate.database "connection" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.designate.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "designate" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.designate.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty (index .Values.conf.designate "service:api").api_base_uri -}}
+{{- $_ := tuple "dns" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set (index .Values.conf.designate "service:api") "api_base_uri" -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: designate-etc
+type: Opaque
+data:
+ designate.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.designate | b64enc }}
+ api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
+ policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+ logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.pools "key" "pools.yaml" "format" "Secret" ) | indent 2 }}
+
+{{- end }}
diff --git a/charts/designate/templates/deployment-api.yaml b/charts/designate/templates/deployment-api.yaml
new file mode 100644
index 0000000..b6680d8
--- /dev/null
+++ b/charts/designate/templates/deployment-api.yaml
@@ -0,0 +1,116 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.deployment_api }}
+
+{{- $envAll := . }}
+{{- $mounts_designate_api := .Values.pod.mounts.designate_api.designate_api }}
+{{- $mounts_designate_api_init := .Values.pod.mounts.designate_api.init_container }}
+
+{{- $serviceAccountName := "designate-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: designate-api
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "designate" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.api }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "designate" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "designate" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "designate" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "designate" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "api" $mounts_designate_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: designate-api
+{{ tuple $envAll "designate_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "designate" "container" "designate_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/designate-api.sh
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/designate-api.sh
+ - stop
+ ports:
+ - name: dns-api
+ containerPort: {{ tuple "dns" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ readinessProbe:
+ httpGet:
+ scheme: {{ tuple "dns" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+ path: /
+ port: {{ tuple "dns" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ volumeMounts:
+ - name: designate-bin
+ mountPath: /tmp/designate-api.sh
+ subPath: designate-api.sh
+ readOnly: true
+ - name: pod-etc-designate
+ mountPath: /etc/designate
+ - name: pod-var-cache-designate
+ mountPath: /var/cache/designate
+ - name: designate-etc
+ mountPath: /etc/designate/designate.conf
+ subPath: designate.conf
+ readOnly: true
+ - name: designate-etc
+ mountPath: /etc/designate/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: designate-etc
+ mountPath: /etc/designate/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ {{- if .Values.conf.designate.DEFAULT.log_config_append }}
+ - name: designate-etc
+ mountPath: {{ .Values.conf.designate.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.designate.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+{{ if $mounts_designate_api.volumeMounts }}{{ toYaml $mounts_designate_api.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-etc-designate
+ emptyDir: {}
+ - name: pod-var-cache-designate
+ emptyDir: {}
+ - name: designate-bin
+ configMap:
+ name: designate-bin
+ defaultMode: 0555
+ - name: designate-etc
+ secret:
+ secretName: designate-etc
+ defaultMode: 0444
+{{ if $mounts_designate_api.volumes }}{{ toYaml $mounts_designate_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/designate/templates/deployment-central.yaml b/charts/designate/templates/deployment-central.yaml
new file mode 100644
index 0000000..02d9f3c
--- /dev/null
+++ b/charts/designate/templates/deployment-central.yaml
@@ -0,0 +1,101 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.deployment_central }}
+
+{{- $envAll := . }}
+{{- $mounts_designate_central := .Values.pod.mounts.designate_central.designate_central }}
+{{- $mounts_designate_central_init := .Values.pod.mounts.designate_central.init_container }}
+
+{{- $serviceAccountName := "designate-central" }}
+{{ tuple $envAll "central" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: designate-central
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "designate" "central" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.central }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "designate" "central" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "designate" "central" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "designate" "central" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.central.node_selector_key }}: {{ .Values.labels.central.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "central" $mounts_designate_central_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: designate-central
+{{ tuple $envAll "designate_central" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.central | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "designate" "container" "designate_central" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - bash
+ - /tmp/designate-central.sh
+ volumeMounts:
+ - name: designate-bin
+ mountPath: /tmp/designate-central.sh
+ subPath: designate-central.sh
+ readOnly: true
+ - name: pod-etc-designate
+ mountPath: /etc/designate
+ - name: pod-var-cache-designate
+ mountPath: /var/cache/designate
+ - name: designate-etc
+ mountPath: /etc/designate/designate.conf
+ subPath: designate.conf
+ readOnly: true
+ - name: designate-etc
+ mountPath: /etc/designate/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: designate-etc
+ mountPath: /etc/designate/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ {{- if .Values.conf.designate.DEFAULT.log_config_append }}
+ - name: designate-etc
+ mountPath: {{ .Values.conf.designate.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.designate.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+{{ if $mounts_designate_central.volumeMounts }}{{ toYaml $mounts_designate_central.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-etc-designate
+ emptyDir: {}
+ - name: pod-var-cache-designate
+ emptyDir: {}
+ - name: designate-bin
+ configMap:
+ name: designate-bin
+ defaultMode: 0555
+ - name: designate-etc
+ secret:
+ secretName: designate-etc
+ defaultMode: 0444
+{{ if $mounts_designate_central.volumes }}{{ toYaml $mounts_designate_central.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/designate/templates/deployment-mdns.yaml b/charts/designate/templates/deployment-mdns.yaml
new file mode 100644
index 0000000..d58f630
--- /dev/null
+++ b/charts/designate/templates/deployment-mdns.yaml
@@ -0,0 +1,112 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.deployment_mdns }}
+
+{{- $envAll := . }}
+{{- $mounts_designate_mdns := .Values.pod.mounts.designate_mdns.designate_mdns }}
+{{- $mounts_designate_mdns_init := .Values.pod.mounts.designate_mdns.init_container }}
+
+{{- $serviceAccountName := "designate-mdns" }}
+{{ tuple $envAll "mdns" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: designate-mdns
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "designate" "mdns" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.mdns }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "designate" "mdns" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "designate" "mdns" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "designate" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "designate" "mdns" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.mdns.node_selector_key }}: {{ .Values.labels.mdns.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.mdns.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "mdns" $mounts_designate_mdns_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: designate-mdns
+{{ tuple $envAll "designate_mdns" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.mdns | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "designate" "container" "designate_mdns" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ ports:
+ - name: d-mdns
+ containerPort: {{ tuple "mdns" "internal" "ipc" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ - name: d-mdns-udp
+ containerPort: {{ tuple "mdns" "internal" "ipc" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ protocol: UDP
+ readinessProbe:
+ tcpSocket:
+ port: {{ tuple "mdns" "internal" "ipc" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ command:
+ - bash
+ - /tmp/designate-mdns.sh
+ volumeMounts:
+ - name: designate-bin
+ mountPath: /tmp/designate-mdns.sh
+ subPath: designate-mdns.sh
+ readOnly: true
+ - name: pod-etc-designate
+ mountPath: /etc/designate
+ - name: pod-var-cache-designate
+ mountPath: /var/cache/designate
+ - name: designate-etc
+ mountPath: /etc/designate/designate.conf
+ subPath: designate.conf
+ readOnly: true
+ - name: designate-etc
+ mountPath: /etc/designate/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: designate-etc
+ mountPath: /etc/designate/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ {{- if .Values.conf.designate.DEFAULT.log_config_append }}
+ - name: designate-etc
+ mountPath: {{ .Values.conf.designate.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.designate.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+{{ if $mounts_designate_mdns.volumeMounts }}{{ toYaml $mounts_designate_mdns.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-etc-designate
+ emptyDir: {}
+ - name: pod-var-cache-designate
+ emptyDir: {}
+ - name: designate-bin
+ configMap:
+ name: designate-bin
+ defaultMode: 0555
+ - name: designate-etc
+ secret:
+ secretName: designate-etc
+ defaultMode: 0444
+{{ if $mounts_designate_mdns.volumes }}{{ toYaml $mounts_designate_mdns.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/designate/templates/deployment-producer.yaml b/charts/designate/templates/deployment-producer.yaml
new file mode 100644
index 0000000..491dbad
--- /dev/null
+++ b/charts/designate/templates/deployment-producer.yaml
@@ -0,0 +1,101 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.deployment_producer }}
+
+{{- $envAll := . }}
+{{- $mounts_designate_producer := .Values.pod.mounts.designate_producer.designate_producer }}
+{{- $mounts_designate_producer_init := .Values.pod.mounts.designate_producer.init_container }}
+
+{{- $serviceAccountName := "designate-producer" }}
+{{ tuple $envAll "producer" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: designate-producer
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "designate" "producer" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.producer }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "designate" "producer" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "designate" "producer" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "designate" "producer" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.producer.node_selector_key }}: {{ .Values.labels.producer.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "producer" $mounts_designate_producer_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: designate-producer
+{{ tuple $envAll "designate_producer" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.producer | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "designate" "container" "designate_producer" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - bash
+ - /tmp/designate-producer.sh
+ volumeMounts:
+ - name: designate-bin
+ mountPath: /tmp/designate-producer.sh
+ subPath: designate-producer.sh
+ readOnly: true
+ - name: pod-etc-designate
+ mountPath: /etc/designate
+ - name: pod-var-cache-designate
+ mountPath: /var/cache/designate
+ - name: designate-etc
+ mountPath: /etc/designate/designate.conf
+ subPath: designate.conf
+ readOnly: true
+ - name: designate-etc
+ mountPath: /etc/designate/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: designate-etc
+ mountPath: /etc/designate/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ {{- if .Values.conf.designate.DEFAULT.log_config_append }}
+ - name: designate-etc
+ mountPath: {{ .Values.conf.designate.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.designate.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+{{ if $mounts_designate_producer.volumeMounts }}{{ toYaml $mounts_designate_producer.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-etc-designate
+ emptyDir: {}
+ - name: pod-var-cache-designate
+ emptyDir: {}
+ - name: designate-bin
+ configMap:
+ name: designate-bin
+ defaultMode: 0555
+ - name: designate-etc
+ secret:
+ secretName: designate-etc
+ defaultMode: 0444
+{{ if $mounts_designate_producer.volumes }}{{ toYaml $mounts_designate_producer.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/designate/templates/deployment-sink.yaml b/charts/designate/templates/deployment-sink.yaml
new file mode 100644
index 0000000..e577d9d
--- /dev/null
+++ b/charts/designate/templates/deployment-sink.yaml
@@ -0,0 +1,97 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.deployment_sink }}
+
+{{- $envAll := . }}
+{{- $mounts_designate_sink := .Values.pod.mounts.designate_sink.designate_sink }}
+{{- $mounts_designate_sink_init := .Values.pod.mounts.designate_sink.init_container }}
+
+{{- $serviceAccountName := "designate-sink" }}
+{{ tuple $envAll "sink" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: designate-sink
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "designate" "sink" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.sink }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "designate" "sink" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "designate" "sink" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "designate" "sink" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.sink.node_selector_key }}: {{ .Values.labels.sink.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "sink" $mounts_designate_sink_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: designate-sink
+{{ tuple $envAll "designate_sink" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.sink | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "designate" "container" "designate_sink" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - bash
+ - /tmp/designate-sink.sh
+ volumeMounts:
+ - name: designate-bin
+ mountPath: /tmp/designate-sink.sh
+ subPath: designate-sink.sh
+ readOnly: true
+ - name: pod-etc-designate
+ mountPath: /etc/designate
+ - name: pod-var-cache-designate
+ mountPath: /var/cache/designate
+ - name: designate-etc
+ mountPath: /etc/designate/designate.conf
+ subPath: designate.conf
+ readOnly: true
+ - name: designate-etc
+ mountPath: /etc/designate/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ {{- if .Values.conf.designate.DEFAULT.log_config_append }}
+ - name: designate-etc
+ mountPath: {{ .Values.conf.designate.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.designate.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+{{ if $mounts_designate_sink.volumeMounts }}{{ toYaml $mounts_designate_sink.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-etc-designate
+ emptyDir: {}
+ - name: pod-var-cache-designate
+ emptyDir: {}
+ - name: designate-bin
+ configMap:
+ name: designate-bin
+ defaultMode: 0555
+ - name: designate-etc
+ secret:
+ secretName: designate-etc
+ defaultMode: 0444
+{{ if $mounts_designate_sink.volumes }}{{ toYaml $mounts_designate_sink.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/designate/templates/deployment-worker.yaml b/charts/designate/templates/deployment-worker.yaml
new file mode 100644
index 0000000..74f9c99
--- /dev/null
+++ b/charts/designate/templates/deployment-worker.yaml
@@ -0,0 +1,126 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.deployment_worker }}
+
+{{- $envAll := . }}
+{{- $mounts_designate_worker := .Values.pod.mounts.designate_worker.designate_worker }}
+{{- $mounts_designate_worker_init := .Values.pod.mounts.designate_worker.init_container }}
+
+{{- $serviceAccountName := "designate-worker" }}
+{{ tuple $envAll "worker" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: designate-worker
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "designate" "worker" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.worker }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "designate" "worker" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "designate" "worker" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "designate" "worker" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.worker.node_selector_key }}: {{ .Values.labels.worker.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "worker" $mounts_designate_worker_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: designate-worker-init
+{{ tuple $envAll "designate_worker" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.worker | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - bash
+ - -c
+ - 'eval "echo \"$(cat /tmp/designate_pools.template)\"" > /etc/designate/pools.yaml && designate-manage pool update'
+ volumeMounts:
+ - name: designate-etc
+ mountPath: /tmp/designate_pools.template
+ subPath: pools.yaml
+ readOnly: true
+ - name: pod-etc-designate
+ mountPath: /etc/designate
+ - name: designate-etc
+ mountPath: /etc/designate/designate.conf
+ subPath: designate.conf
+ readOnly: true
+ {{- if .Values.conf.designate.DEFAULT.log_config_append }}
+ - name: designate-etc
+ mountPath: {{ .Values.conf.designate.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.designate.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+{{ if $mounts_designate_worker.volumeMounts }}{{ toYaml $mounts_designate_worker.volumeMounts | indent 12 }}{{ end }}
+ containers:
+ - name: designate-worker
+{{ tuple $envAll "designate_worker" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.worker | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "designate" "container" "designate_worker" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - bash
+ - /tmp/designate-worker.sh
+ volumeMounts:
+ - name: designate-bin
+ mountPath: /tmp/designate-worker.sh
+ subPath: designate-worker.sh
+ readOnly: true
+ - name: pod-etc-designate
+ mountPath: /etc/designate
+ - name: pod-var-cache-designate
+ mountPath: /var/cache/designate
+ - name: designate-etc
+ mountPath: /etc/designate/designate.conf
+ subPath: designate.conf
+ readOnly: true
+ - name: designate-etc
+ mountPath: /etc/designate/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: designate-etc
+ mountPath: /etc/designate/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ {{- if .Values.conf.designate.DEFAULT.log_config_append }}
+ - name: designate-etc
+ mountPath: {{ .Values.conf.designate.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.designate.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+{{ if $mounts_designate_worker.volumeMounts }}{{ toYaml $mounts_designate_worker.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-etc-designate
+ emptyDir: {}
+ - name: pod-var-cache-designate
+ emptyDir: {}
+ - name: designate-bin
+ configMap:
+ name: designate-bin
+ defaultMode: 0555
+ - name: designate-etc
+ secret:
+ secretName: designate-etc
+ defaultMode: 0444
+{{ if $mounts_designate_worker.volumes }}{{ toYaml $mounts_designate_worker.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/designate/templates/ingress-api.yaml b/charts/designate/templates/ingress-api.yaml
new file mode 100644
index 0000000..9b0a3b1
--- /dev/null
+++ b/charts/designate/templates/ingress-api.yaml
@@ -0,0 +1,17 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.ingress_api }}
+
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "dns" "backendPort" "dns-api" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+
+{{- end }}
diff --git a/charts/designate/templates/job-bootstrap.yaml b/charts/designate/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..dc4350e
--- /dev/null
+++ b/charts/designate/templates/job-bootstrap.yaml
@@ -0,0 +1,58 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.job_bootstrap }}
+
+{{- $envAll := . }}
+{{- if .Values.bootstrap.enabled }}
+{{- $mounts_designate_bootstrap := .Values.pod.mounts.designate_bootstrap.designate_bootstrap }}
+{{- $mounts_designate_bootstrap_init := .Values.pod.mounts.designate_bootstrap.init_container }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: designate-bootstrap
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "designate" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "bootstrap" $mounts_designate_bootstrap_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: designate-bootstrap
+ image: {{ .Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ command:
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: designate-bin
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+{{ if $mounts_designate_bootstrap.volumeMounts }}{{ toYaml $mounts_designate_bootstrap.volumeMounts | indent 10 }}{{ end }}
+ volumes:
+ - name: designate-bin
+ configMap:
+ name: designate-bin
+ defaultMode: 0555
+{{ if $mounts_designate_bootstrap.volumes }}{{ toYaml $mounts_designate_bootstrap.volumes | indent 6 }}{{ end }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/templates/job-db-init.yaml b/charts/designate/templates/job-db-init.yaml
new file mode 100644
index 0000000..1030d86
--- /dev/null
+++ b/charts/designate/templates/job-db-init.yaml
@@ -0,0 +1,23 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+
+{{- $dbInitJob := dict "envAll" . "serviceName" "designate" "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+
+{{- end }}
diff --git a/charts/designate/templates/job-db-sync.yaml b/charts/designate/templates/job-db-sync.yaml
new file mode 100644
index 0000000..7765114
--- /dev/null
+++ b/charts/designate/templates/job-db-sync.yaml
@@ -0,0 +1,23 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+
+{{- $dbSyncJob := dict "envAll" . "serviceName" "designate" "podVolMounts" .Values.pod.mounts.designate_db_sync.designate_db_sync.volumeMounts "podVols" .Values.pod.mounts.designate_db_sync.designate_db_sync.volumes "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+
+{{- end }}
diff --git a/charts/designate/templates/job-ks-endpoints.yaml b/charts/designate/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..b1f3c1f
--- /dev/null
+++ b/charts/designate/templates/job-ks-endpoints.yaml
@@ -0,0 +1,23 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+
+{{- $ksServiceJob := dict "envAll" . "serviceName" "designate" "serviceTypes" ( tuple "dns" ) "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+
+{{- end }}
diff --git a/charts/designate/templates/job-ks-service.yaml b/charts/designate/templates/job-ks-service.yaml
new file mode 100644
index 0000000..b7fc4b5
--- /dev/null
+++ b/charts/designate/templates/job-ks-service.yaml
@@ -0,0 +1,23 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+
+{{- $ksServiceJob := dict "envAll" . "serviceName" "designate" "serviceTypes" ( tuple "dns" ) "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+
+ {{- end }}
diff --git a/charts/designate/templates/job-ks-user.yaml b/charts/designate/templates/job-ks-user.yaml
new file mode 100644
index 0000000..081f013
--- /dev/null
+++ b/charts/designate/templates/job-ks-user.yaml
@@ -0,0 +1,25 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# $% What does following represent?
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+
+{{- $ksUserJob := dict "envAll" . "serviceName" "designate" "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+
+{{- end }}
diff --git a/charts/designate/templates/job-rabbit-init.yaml b/charts/designate/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..fc6e707
--- /dev/null
+++ b/charts/designate/templates/job-rabbit-init.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "designate" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/designate/templates/pdb-api.yaml b/charts/designate/templates/pdb-api.yaml
new file mode 100644
index 0000000..31c1532
--- /dev/null
+++ b/charts/designate/templates/pdb-api.yaml
@@ -0,0 +1,26 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.pdb_api }}
+
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: designate-api
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+ selector:
+ matchLabels:
+ app: designate-api
+{{ tuple $envAll "designate" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/designate/templates/pdb-central.yaml b/charts/designate/templates/pdb-central.yaml
new file mode 100644
index 0000000..54b8139
--- /dev/null
+++ b/charts/designate/templates/pdb-central.yaml
@@ -0,0 +1,25 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.pdb_central }}
+
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: designate-central
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.central.min_available }}
+ selector:
+ matchLabels:
+ app: designate-central
+{{- end }}
diff --git a/charts/designate/templates/pdb-mdns.yaml b/charts/designate/templates/pdb-mdns.yaml
new file mode 100644
index 0000000..b14861c
--- /dev/null
+++ b/charts/designate/templates/pdb-mdns.yaml
@@ -0,0 +1,25 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.pdb_mdns }}
+
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: designate-mdns
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.mdns.min_available }}
+ selector:
+ matchLabels:
+ app: designate-mdns
+{{- end }}
diff --git a/charts/designate/templates/pdb-producer.yaml b/charts/designate/templates/pdb-producer.yaml
new file mode 100644
index 0000000..6fa2450
--- /dev/null
+++ b/charts/designate/templates/pdb-producer.yaml
@@ -0,0 +1,25 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.pdb_producer }}
+
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: designate-producer
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.producer.min_available }}
+ selector:
+ matchLabels:
+ app: designate-producer
+{{- end }}
diff --git a/charts/designate/templates/pdb-sink.yaml b/charts/designate/templates/pdb-sink.yaml
new file mode 100644
index 0000000..27acd0a
--- /dev/null
+++ b/charts/designate/templates/pdb-sink.yaml
@@ -0,0 +1,25 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.pdb_sink }}
+
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: designate-sink
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.sink.min_available }}
+ selector:
+ matchLabels:
+ app: designate-sink
+{{- end }}
diff --git a/charts/designate/templates/pdb-worker.yaml b/charts/designate/templates/pdb-worker.yaml
new file mode 100644
index 0000000..8af1ca4
--- /dev/null
+++ b/charts/designate/templates/pdb-worker.yaml
@@ -0,0 +1,25 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.pdb_worker }}
+
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: designate-worker
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.worker.min_available }}
+ selector:
+ matchLabels:
+ app: designate-worker
+{{- end }}
diff --git a/charts/designate/templates/secret-db.yaml b/charts/designate/templates/secret-db.yaml
new file mode 100644
index 0000000..c37b96e
--- /dev/null
+++ b/charts/designate/templates/secret-db.yaml
@@ -0,0 +1,26 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.secret_db }}
+
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "designate" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/templates/secret-ingress-tls.yaml b/charts/designate/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..a5909b1
--- /dev/null
+++ b/charts/designate/templates/secret-ingress-tls.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "dns" ) }}
+{{- end }}
diff --git a/charts/designate/templates/secret-keystone.yaml b/charts/designate/templates/secret-keystone.yaml
new file mode 100644
index 0000000..5c3d956
--- /dev/null
+++ b/charts/designate/templates/secret-keystone.yaml
@@ -0,0 +1,26 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.secret_keystone }}
+
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "designate" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/templates/secret-rabbitmq.yaml b/charts/designate/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..01c8362
--- /dev/null
+++ b/charts/designate/templates/secret-rabbitmq.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "designate" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/designate/templates/secret-registry.yaml b/charts/designate/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/designate/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/designate/templates/service-api.yaml b/charts/designate/templates/service-api.yaml
new file mode 100644
index 0000000..8a26cb6
--- /dev/null
+++ b/charts/designate/templates/service-api.yaml
@@ -0,0 +1,26 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.service_api }}
+
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "dns" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: dns-api
+ port: {{ tuple "dns" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ selector:
+{{ tuple $envAll "designate" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}
diff --git a/charts/designate/templates/service-ingress-api.yaml b/charts/designate/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..7e12fd2
--- /dev/null
+++ b/charts/designate/templates/service-ingress-api.yaml
@@ -0,0 +1,17 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.service_ingress_api }}
+
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "dns" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+
+{{- end }}
diff --git a/charts/designate/templates/service-mdns.yaml b/charts/designate/templates/service-mdns.yaml
new file mode 100644
index 0000000..ced9fd6
--- /dev/null
+++ b/charts/designate/templates/service-mdns.yaml
@@ -0,0 +1,35 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.manifests.service_mdns }}
+
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "mdns" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: d-mdns
+ port: {{ tuple "mdns" "internal" "ipc" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ - name: d-mdns-udp
+ port: {{ tuple "mdns" "internal" "ipc" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ protocol: UDP
+ selector:
+{{ tuple $envAll "designate" "mdns" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.mdns.node_port.enabled }}
+ type: NodePort
+ {{ if .Values.network.mdns.external_policy_local }}
+ externalTrafficPolicy: Local
+ {{ end }}
+ {{ end }}
+{{- end }}
diff --git a/charts/designate/values.yaml b/charts/designate/values.yaml
new file mode 100644
index 0000000..7abd43d
--- /dev/null
+++ b/charts/designate/values.yaml
@@ -0,0 +1,851 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for designate.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+labels:
+ api:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ central:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ producer:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ worker:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ job:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ mdns:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ sink:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+images:
+ tags:
+ bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ rabbit_init: docker.io/rabbitmq:3.7-management
+ ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ designate_db_sync: docker.io/openstackhelm/designate:wallaby-ubuntu_focal
+ designate_api: docker.io/openstackhelm/designate:wallaby-ubuntu_focal
+ designate_central: docker.io/openstackhelm/designate:wallaby-ubuntu_focal
+ designate_mdns: docker.io/openstackhelm/designate:wallaby-ubuntu_focal
+ designate_worker: docker.io/openstackhelm/designate:wallaby-ubuntu_focal
+ designate_producer: docker.io/openstackhelm/designate:wallaby-ubuntu_focal
+ designate_sink: docker.io/openstackhelm/designate:wallaby-ubuntu_focal
+ pull_policy: "IfNotPresent"
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+pod:
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ mounts:
+ designate_api:
+ init_container: null
+ designate_api:
+ volumeMounts:
+ volumes:
+ designate_central:
+ init_container: null
+ designate_central:
+ volumeMounts:
+ volumes:
+ designate_mdns:
+ init_container: null
+ designate_mdns:
+ volumeMounts:
+ volumes:
+ designate_worker:
+ init_container: null
+ designate_worker:
+ volumeMounts:
+ volumes:
+ designate_producer:
+ init_container: null
+ designate_producer:
+ volumeMounts:
+ volumes:
+ designate_sink:
+ init_container: null
+ designate_sink:
+ volumeMounts:
+ volumes:
+ designate_db_sync:
+ designate_db_sync:
+ volumeMounts:
+ volumes:
+ replicas:
+ api: 1
+ central: 1
+ mdns: 1
+ producer: 1
+ sink: 1
+ worker: 1
+ lifecycle:
+ upgrades:
+ deployments:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+ disruption_budget:
+ api:
+ min_available: 0
+ central:
+ min_available: 0
+ mdns:
+ min_available: 0
+ worker:
+ min_available: 0
+ producer:
+ min_available: 0
+ sink:
+ min_available: 0
+ termination_grace_period:
+ api:
+ timeout: 30
+ mdns:
+ timeout: 30
+
+ resources:
+ enabled: false
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ bootstrap:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_endpoints:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_service:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_user:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ rabbit_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ tests:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+
+network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ external_policy_local: false
+ node_port:
+ enabled: false
+ port: 9001
+ mdns:
+ name: "designate-mdns"
+ proto: "http"
+ external_policy_local: false
+ node_port:
+ enabled: true
+ port: 5354
+
+bootstrap:
+ enabled: false
+ script: |
+ openstack token issue
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - designate-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ job_rabbit_init:
+ api:
+ jobs:
+ - designate-rabbit-init
+ sink:
+ jobs:
+ - designate-rabbit-init
+ central:
+ jobs:
+ - designate-rabbit-init
+ worker:
+ jobs:
+ - designate-rabbit-init
+ static:
+ db_init:
+ services:
+ - service: oslo_db
+ endpoint: internal
+ db_sync:
+ jobs:
+ - designate-db-init
+ services:
+ - service: oslo_db
+ endpoint: internal
+ ks_user:
+ services:
+ - service: identity
+ endpoint: internal
+ ks_service:
+ services:
+ - service: identity
+ endpoint: internal
+ ks_endpoints:
+ jobs:
+ - designate-ks-service
+ services:
+ - service: identity
+ endpoint: internal
+ rabbit_init:
+ services:
+ - service: oslo_messaging
+ endpoint: internal
+ api:
+ jobs:
+ - designate-db-sync
+ - designate-ks-user
+ - designate-ks-endpoints
+ service:
+ - service: oslo_db
+ endpoint: internal
+ - service: identity
+ endpoint: internal
+ - service: oslo_messaging
+ endpoint: internal
+ central:
+ jobs:
+ - designate-db-sync
+ - designate-ks-user
+ - designate-ks-endpoints
+ service:
+ - service: oslo_db
+ endpoint: internal
+ - service: identity
+ endpoint: internal
+ - service: oslo_messaging
+ endpoint: internal
+ worker:
+ jobs:
+ - designate-db-sync
+ - designate-ks-user
+ - designate-ks-endpoints
+ services:
+ - service: oslo_db
+ endpoint: internal
+ - service: identity
+ endpoint: internal
+ - service: mdns
+ endpoint: internal
+ mdns:
+ jobs:
+ - designate-db-sync
+ - designate-ks-user
+ - designate-ks-endpoints
+ services:
+ - service: oslo_db
+ endpoint: internal
+ - service: identity
+ endpoint: internal
+ producer:
+ jobs:
+ - designate-db-sync
+ - designate-ks-user
+ - designate-ks-endpoints
+ services:
+ - service: oslo_db
+ endpoint: internal
+ - service: identity
+ endpoint: internal
+ sink:
+ jobs:
+ - designate-db-sync
+ - designate-ks-user
+ - designate-ks-endpoints
+ services:
+ - service: oslo_db
+ endpoint: internal
+ - service: identity
+ endpoint: internal
+
+conf:
+ pools: |
+ - name: default
+ # The name is immutable. There will be no option to change the name after
+ # creation and the only way will to change it will be to delete it
+ # (and all zones associated with it) and recreate it.
+ description: Default Pool
+
+ attributes: {}
+
+ # List out the NS records for zones hosted within this pool
+ # This should be a record that is created outside of designate, that
+ # points to the public IP of the controller node.
+ ns_records:
+ - hostname: {{ printf "ns.%s.svc.%s." .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
+ priority: 1
+
+ # List out the nameservers for this pool. These are the actual DNS servers.
+ # We use these to verify changes have propagated to all nameservers.
+ nameservers:
+ - host: ${POWERDNS_SERVICE_HOST}
+ port: {{ tuple "powerdns" "internal" "powerdns" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+
+ # List out the targets for this pool. For BIND there will be one
+ # entry for each BIND server, as we have to run rndc command on each server
+ targets:
+ - type: pdns4
+ description: PowerDNS Server
+
+ # List out the designate-mdns servers from which PowerDNS servers should
+ # request zone transfers (AXFRs) from.
+ # This should be the IP of the controller node.
+ # If you have multiple controllers you can add multiple masters
+ # by running designate-mdns on them, and adding them here.
+ masters:
+ - host: ${MINIDNS_SERVICE_HOST}
+ port: {{ tuple "mdns" "internal" "ipc" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+
+ # PowerDNS Configuration options
+ options:
+ host: ${POWERDNS_SERVICE_HOST}
+ port: {{ tuple "powerdns" "internal" "powerdns" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ api_endpoint: http://${POWERDNS_SERVICE_HOST}:{{ tuple "powerdns" "internal" "powerdns_api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ api_token: {{ tuple "powerdns" "service" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+ paste:
+ composite:osapi_dns:
+ use: egg:Paste#urlmap
+ /: osapi_dns_versions
+ /v2: osapi_dns_v2
+ /admin: osapi_dns_admin
+ composite:osapi_dns_versions:
+ use: call:designate.api.middleware:auth_pipeline_factory
+ noauth: http_proxy_to_wsgi cors maintenance faultwrapper osapi_dns_app_versions
+ keystone: http_proxy_to_wsgi cors maintenance faultwrapper osapi_dns_app_versions
+ app:osapi_dns_app_versions:
+ paste.app_factory: designate.api.versions:factory
+ composite:osapi_dns_v2:
+ use: call:designate.api.middleware:auth_pipeline_factory
+ noauth: http_proxy_to_wsgi cors request_id faultwrapper validation_API_v2 noauthcontext maintenance normalizeuri osapi_dns_app_v2
+ keystone: http_proxy_to_wsgi cors request_id faultwrapper validation_API_v2 authtoken keystonecontext maintenance normalizeuri osapi_dns_app_v2
+ app:osapi_dns_app_v2:
+ paste.app_factory: designate.api.v2:factory
+ composite:osapi_dns_admin:
+ use: call:designate.api.middleware:auth_pipeline_factory
+ noauth: http_proxy_to_wsgi cors request_id faultwrapper noauthcontext maintenance normalizeuri osapi_dns_app_admin
+ keystone: http_proxy_to_wsgi cors request_id faultwrapper authtoken keystonecontext maintenance normalizeuri osapi_dns_app_admin
+ app:osapi_dns_app_admin:
+ paste.app_factory: designate.api.admin:factory
+ filter:cors:
+ paste.filter_factory: oslo_middleware.cors:filter_factory
+ oslo_config_project: designate
+ filter:request_id:
+ paste.filter_factory: oslo_middleware:RequestId.factory
+ filter:http_proxy_to_wsgi:
+ paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
+ filter:noauthcontext:
+ paste.filter_factory: designate.api.middleware:NoAuthContextMiddleware.factory
+ filter:authtoken:
+ paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+ filter:keystonecontext:
+ paste.filter_factory: designate.api.middleware:KeystoneContextMiddleware.factory
+ filter:maintenance:
+ paste.filter_factory: designate.api.middleware:MaintenanceMiddleware.factory
+ filter:normalizeuri:
+ paste.filter_factory: designate.api.middleware:NormalizeURIMiddleware.factory
+ filter:faultwrapper:
+ paste.filter_factory: designate.api.middleware:FaultWrapperMiddleware.factory
+ filter:validation_API_v2:
+ paste.filter_factory: designate.api.middleware:APIv2ValidationErrorMiddleware.factory
+ policy:
+ admin: role:admin or is_admin:True
+ primary_zone: target.zone_type:SECONDARY
+ owner: tenant:%(tenant_id)s
+ admin_or_owner: rule:admin or rule:owner
+ target: tenant:%(target_tenant_id)s
+ owner_or_target: rule:target or rule:owner
+ admin_or_owner_or_target: rule:owner_or_target or rule:admin
+ admin_or_target: rule:admin or rule:target
+ zone_primary_or_admin: ('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)
+ default: rule:admin_or_owner
+ all_tenants: rule:admin
+ edit_managed_records: rule:admin
+ use_low_ttl: rule:admin
+ get_quotas: rule:admin_or_owner
+ get_quota: rule:admin_or_owner
+ set_quota: rule:admin
+ reset_quotas: rule:admin
+ create_tld: rule:admin
+ find_tlds: rule:admin
+ get_tld: rule:admin
+ update_tld: rule:admin
+ delete_tld: rule:admin
+ create_tsigkey: rule:admin
+ find_tsigkeys: rule:admin
+ get_tsigkey: rule:admin
+ update_tsigkey: rule:admin
+ delete_tsigkey: rule:admin
+ find_tenants: rule:admin
+ get_tenant: rule:admin
+ count_tenants: rule:admin
+ create_zone: rule:admin_or_owner
+ get_zones: rule:admin_or_owner
+ get_zone: rule:admin_or_owner
+ get_zone_servers: rule:admin_or_owner
+ find_zones: rule:admin_or_owner
+ find_zone: rule:admin_or_owner
+ update_zone: rule:admin_or_owner
+ delete_zone: rule:admin_or_owner
+ xfr_zone: rule:admin_or_owner
+ abandon_zone: rule:admin
+ count_zones: rule:admin_or_owner
+ count_zones_pending_notify: rule:admin_or_owner
+ purge_zones: rule:admin
+ touch_zone: rule:admin_or_owner
+ create_recordset: rule:zone_primary_or_admin
+ get_recordsets: rule:admin_or_owner
+ get_recordset: rule:admin_or_owner
+ find_recordsets: rule:admin_or_owner
+ find_recordset: rule:admin_or_owner
+ update_recordset: rule:zone_primary_or_admin
+ delete_recordset: rule:zone_primary_or_admin
+ count_recordset: rule:admin_or_owner
+ create_record: rule:admin_or_owner
+ get_records: rule:admin_or_owner
+ get_record: rule:admin_or_owner
+ find_records: rule:admin_or_owner
+ find_record: rule:admin_or_owner
+ update_record: rule:admin_or_owner
+ delete_record: rule:admin_or_owner
+ count_records: rule:admin_or_owner
+ use_sudo: rule:admin
+ create_blacklist: rule:admin
+ find_blacklist: rule:admin
+ find_blacklists: rule:admin
+ get_blacklist: rule:admin
+ update_blacklist: rule:admin
+ delete_blacklist: rule:admin
+ use_blacklisted_zone: rule:admin
+ create_pool: rule:admin
+ find_pools: rule:admin
+ find_pool: rule:admin
+ get_pool: rule:admin
+ update_pool: rule:admin
+ delete_pool: rule:admin
+ zone_create_forced_pool: rule:admin
+ diagnostics_ping: rule:admin
+ diagnostics_sync_zones: rule:admin
+ diagnostics_sync_zone: rule:admin
+ diagnostics_sync_record: rule:admin
+ create_zone_transfer_request: rule:admin_or_owner
+ get_zone_transfer_request: rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s
+ get_zone_transfer_request_detailed: rule:admin_or_owner
+ find_zone_transfer_requests: '@'
+ find_zone_transfer_request: '@'
+ update_zone_transfer_request: rule:admin_or_owner
+ delete_zone_transfer_request: rule:admin_or_owner
+ create_zone_transfer_accept: rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s
+ get_zone_transfer_accept: rule:admin_or_owner
+ find_zone_transfer_accepts: rule:admin
+ find_zone_transfer_accept: rule:admin
+ update_zone_transfer_accept: rule:admin
+ delete_zone_transfer_accept: rule:admin
+ create_zone_import: rule:admin_or_owner
+ find_zone_imports: rule:admin_or_owner
+ get_zone_import: rule:admin_or_owner
+ update_zone_import: rule:admin_or_owner
+ delete_zone_import: rule:admin_or_owner
+ zone_export: rule:admin_or_owner
+ create_zone_export: rule:admin_or_owner
+ find_zone_exports: rule:admin_or_owner
+ get_zone_export: rule:admin_or_owner
+ update_zone_export: rule:admin_or_owner
+ find_service_status: rule:admin
+ find_service_statuses: rule:admin
+ update_service_service_status: rule:admin
+ designate:
+ DEFAULT:
+ debug: false
+ log_config_append: /etc/designate/logging.conf
+ service:api:
+ auth_strategy: keystone
+ enable_api_v2: true
+ enable_api_admin: true
+ enabled_extensions_v2: quotas,reports
+ workers: 2
+ service:worker:
+ enabled: true
+ notify: false
+ oslo_middleware:
+ enable_proxy_headers_parsing: true
+ oslo_policy:
+ policy_file: /etc/designate/policy.yaml
+ database:
+ max_retries: -1
+ storage:sqlalchemy:
+ max_retries: -1
+ keystone_authtoken:
+ auth_version: v3
+ auth_type: password
+ memcache_security_strategy: ENCRYPT
+ logging:
+ loggers:
+ keys:
+ - root
+ - designate
+ handlers:
+ keys:
+ - stdout
+ - stderr
+ - "null"
+ formatters:
+ keys:
+ - context
+ - default
+ logger_root:
+ level: WARNING
+ handlers: 'null'
+ logger_designate:
+ level: INFO
+ handlers:
+ - stdout
+ qualname: designate
+ logger_amqp:
+ level: WARNING
+ handlers: stderr
+ qualname: amqp
+ logger_amqplib:
+ level: WARNING
+ handlers: stderr
+ qualname: amqplib
+ logger_eventletwsgi:
+ level: WARNING
+ handlers: stderr
+ qualname: eventlet.wsgi.server
+ logger_sqlalchemy:
+ level: WARNING
+ handlers: stderr
+ qualname: sqlalchemy
+ logger_boto:
+ level: WARNING
+ handlers: stderr
+ qualname: boto
+ handler_null:
+ class: logging.NullHandler
+ formatter: default
+ args: ()
+ handler_stdout:
+ class: StreamHandler
+ args: (sys.stdout,)
+ formatter: context
+ handler_stderr:
+ class: StreamHandler
+ args: (sys.stderr,)
+ formatter: context
+ formatter_context:
+ class: oslo_log.formatters.ContextFormatter
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ formatter_default:
+ format: "%(message)s"
+ datefmt: "%Y-%m-%d %H:%M:%S"
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: designate-keystone-admin
+ designate: designate-keystone-user
+ test: designate-keystone-test
+ oslo_db:
+ admin: designate-db-admin
+ designate: designate-db-user
+ oslo_messaging:
+ admin: designate-rabbitmq-admin
+ designate: designate-rabbitmq-user
+ tls:
+ dns:
+ api:
+ public: designate-tls-public
+ oci_image_registry:
+ designate: designate-oci-image-registry
+
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ oci_image_registry:
+ name: oci-image-registry
+ namespace: oci-image-registry
+ auth:
+ enabled: false
+ designate:
+ username: designate
+ password: password
+ hosts:
+ default: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ default: null
+ identity:
+ name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ designate:
+ role: admin
+ region_name: RegionOne
+ username: designate
+ password: password
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ test:
+ role: admin
+ region_name: RegionOne
+ username: designate-test
+ password: password
+ project_name: test
+ user_domain_name: service
+ project_domain_name: service
+ hosts:
+ default: keystone
+ internal: keystone-api
+ host_fqdn_override:
+ default: null
+ path:
+ default: /v3
+ scheme:
+ default: http
+ port:
+ api:
+ default: 80
+ internal: 5000
+ dns:
+ name: designate
+ hosts:
+ default: designate-api
+ public: designate
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 9001
+ public: 80
+ mdns:
+ name: minidns
+ hosts:
+ default: minidns
+ public: designate-mdns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme:
+ default: 'tcp'
+ port:
+ ipc:
+ default: 5354
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ designate:
+ username: designate
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /designate
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ oslo_cache:
+ hosts:
+ default: memcached
+ host_fqdn_override:
+ default: null
+ port:
+ memcache:
+ default: 11211
+ auth:
+ # NOTE: this is used to define the value for keystone
+ # authtoken cache encryption key, if not set it will be populated
+ # automatically with a random value, but to take advantage of
+ # this feature all services should be set to use the same key,
+ # and memcache service.
+ memcache_secret_key: null
+ oslo_messaging:
+ auth:
+ admin:
+ username: rabbitmq
+ password: password
+ designate:
+ username: designate
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /designate
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ http:
+ default: 15672
+ powerdns:
+ auth:
+ service:
+ token: chiave_segreta
+ hosts:
+ default: powerdns
+ host_fqdn_override:
+ default: null
+ port:
+ powerdns_api:
+ default: 8081
+ powerdns:
+ default: 53
+
+manifests:
+ configmap_bin: true
+ configmap_etc: true
+ deployment_api: true
+ deployment_central: true
+ deployment_worker: true
+ deployment_producer: true
+ deployment_mdns: true
+ deployment_sink: false
+ ingress_api: true
+ job_bootstrap: true
+ job_db_init: true
+ job_db_sync: true
+ job_ks_endpoints: true
+ job_ks_service: true
+ job_ks_user: true
+ job_rabbit_init: true
+ pdb_api: true
+ pdb_producer: true
+ pdb_central: true
+ pdb_worker: true
+ pdb_mdns: true
+ pdb_sink: false
+ secret_db: true
+ secret_ingress_tls: true
+ secret_keystone: true
+ secret_rabbitmq: true
+ secret_registry: true
+ service_api: true
+ service_mdns: true
+ service_ingress_api: true
+...
diff --git a/charts/glance/.helmignore b/charts/glance/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/glance/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/glance/Chart.yaml b/charts/glance/Chart.yaml
new file mode 100644
index 0000000..0650294
--- /dev/null
+++ b/charts/glance/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Glance
+home: https://docs.openstack.org/glance/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: glance
+sources:
+- https://opendev.org/openstack/glance
+- https://opendev.org/openstack/openstack-helm
+version: 0.4.1
diff --git a/charts/glance/charts/helm-toolkit/Chart.yaml b/charts/glance/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..12e2dd2
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.50
diff --git a/charts/glance/charts/helm-toolkit/requirements.yaml b/charts/glance/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/glance/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..4c476b2
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a authenticating a registry with a secret
+examples:
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/glance/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..3739f95
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+ delete user \
+ name="guest" || true
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..687851e
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,571 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# verify_databases_backup_archives [scope]
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to verify the database backup archives. If this function
+# completes successfully (returns 0), the
+# framework will automatically starts remote backup upload.
+#
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log_verify_backup_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ # rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ # Calculation remote file SHA256 hash
+ REMOTE_FILE=$(mktemp -p /tmp)
+ openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+ rm -rf ${REMOTE_FILE}
+ return 1
+ fi
+
+ # Remote backup verification
+ SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+ SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+ log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+ log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+ log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+ if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+ log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+ else
+ log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+ return 1
+ fi
+ rm -rf ${REMOTE_FILE}
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+ local A_FILE="$1"
+ awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f ${fd} ]]; then
+ rm -f ${fd}
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ fi
+ done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ # Local backup verification process
+
+ # It is expected that this function will verify the database backup files
+ if verify_databases_backup_archives ${SCOPE}; then
+ log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+ else
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ fi
+ log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+ exit 1
+ fi
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ # Remote backup
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ get_backup_prefix $(cat $DB_BACKUP_FILES)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+ remove_old_remote_archives
+ done
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
\ No newline at end of file
diff --git a/charts/glance/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/glance/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f8-
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+ - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/glance/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/glance/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_template.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/glance/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/glance/charts/helm-toolkit/values.yaml b/charts/glance/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/glance/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/glance/requirements.lock b/charts/glance/requirements.lock
new file mode 100644
index 0000000..48cea9f
--- /dev/null
+++ b/charts/glance/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: 0.2.50
+digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
+generated: "2023-01-13T22:23:21.767149565Z"
diff --git a/charts/glance/requirements.yaml b/charts/glance/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/glance/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: ">= 0.1.0"
diff --git a/charts/glance/templates/bin/_bootstrap.sh.tpl b/charts/glance/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..0b11a4f
--- /dev/null
+++ b/charts/glance/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cd /tmp/images
+
+{{ range .Values.bootstrap.structured.images }}
+openstack image show {{ .name | quote }} || \
+ { curl --fail -sSL -O {{ .source_url }}{{ .image_file }}; \
+ openstack image create {{ .name | quote }} \
+ {{ if .id -}} --id {{ .id }} {{ end -}} \
+ --min-disk {{ .min_disk }} \
+ --disk-format {{ .image_type }} \
+ --file {{ .image_file }} \
+ {{ if .properties -}} {{ range $key, $value := .properties }}--property {{$key}}={{$value}} {{ end }}{{ end -}} \
+ --container-format {{ .container_format | quote }} \
+ {{ if .private -}}
+ --private
+ {{- else -}}
+ --public
+ {{- end -}}; }
+{{ end }}
+
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/glance/templates/bin/_ceph-admin-keyring.sh.tpl b/charts/glance/templates/bin/_ceph-admin-keyring.sh.tpl
new file mode 100644
index 0000000..8c36d4b
--- /dev/null
+++ b/charts/glance/templates/bin/_ceph-admin-keyring.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cat > /etc/ceph/ceph.client.admin.keyring << EOF
+[client.admin]
+{{- if .Values.conf.ceph.admin_keyring }}
+ key = {{ .Values.conf.ceph.admin_keyring }}
+{{- else }}
+ key = $(cat /tmp/client-keyring)
+{{- end }}
+EOF
+
+exit 0
diff --git a/charts/glance/templates/bin/_ceph-keyring.sh.tpl b/charts/glance/templates/bin/_ceph-keyring.sh.tpl
new file mode 100644
index 0000000..cbafe3d
--- /dev/null
+++ b/charts/glance/templates/bin/_ceph-keyring.sh.tpl
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cat > /etc/ceph/ceph.client.${RBD_STORE_USER}.keyring <<EOF
+[client.${RBD_STORE_USER}]
+ key = $(cat /tmp/client-keyring)
+EOF
+
+exit 0
diff --git a/charts/glance/templates/bin/_clean-image.sh.tpl b/charts/glance/templates/bin/_clean-image.sh.tpl
new file mode 100644
index 0000000..2ac4b53
--- /dev/null
+++ b/charts/glance/templates/bin/_clean-image.sh.tpl
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ if .Values.bootstrap.enabled }}
+{{ range .Values.bootstrap.structured.images }}
+ {{ if .id -}}
+ openstack image show {{ .id | quote }} && \
+ openstack image delete {{ .id | quote }}
+ {{ end -}}
+{{ end }}
+
+{{ end }}
+exit 0
diff --git a/charts/glance/templates/bin/_clean-secrets.sh.tpl b/charts/glance/templates/bin/_clean-secrets.sh.tpl
new file mode 100644
index 0000000..31b7177
--- /dev/null
+++ b/charts/glance/templates/bin/_clean-secrets.sh.tpl
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec kubectl delete secret \
+ --namespace ${NAMESPACE} \
+ --ignore-not-found=true \
+ ${RBD_POOL_SECRET}
diff --git a/charts/glance/templates/bin/_db-sync.sh.tpl b/charts/glance/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..21d81ad
--- /dev/null
+++ b/charts/glance/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+glance-manage db_sync
diff --git a/charts/glance/templates/bin/_glance-api.sh.tpl b/charts/glance/templates/bin/_glance-api.sh.tpl
new file mode 100644
index 0000000..9d427b6
--- /dev/null
+++ b/charts/glance/templates/bin/_glance-api.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ exec glance-api \
+ --config-file /etc/glance/glance-api.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/glance/templates/bin/_iscsiadm.tpl b/charts/glance/templates/bin/_iscsiadm.tpl
new file mode 100644
index 0000000..f27d757
--- /dev/null
+++ b/charts/glance/templates/bin/_iscsiadm.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Copyright 2020 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+ iscsiadm "${@:1}"
diff --git a/charts/glance/templates/bin/_metadefs-load.sh.tpl b/charts/glance/templates/bin/_metadefs-load.sh.tpl
new file mode 100644
index 0000000..1e1f3e4
--- /dev/null
+++ b/charts/glance/templates/bin/_metadefs-load.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+
+glance-manage --config-file /etc/glance/glance-api.conf db_load_metadefs /var/lib/openstack/etc/glance/metadefs
diff --git a/charts/glance/templates/bin/_multipath.tpl b/charts/glance/templates/bin/_multipath.tpl
new file mode 100644
index 0000000..7f84c9c
--- /dev/null
+++ b/charts/glance/templates/bin/_multipath.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+ multipath "${@:1}"
diff --git a/charts/glance/templates/bin/_multipathd.tpl b/charts/glance/templates/bin/_multipathd.tpl
new file mode 100644
index 0000000..a9ff34a
--- /dev/null
+++ b/charts/glance/templates/bin/_multipathd.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+ multipathd "${@:1}"
diff --git a/charts/glance/templates/bin/_nginx.sh.tpl b/charts/glance/templates/bin/_nginx.sh.tpl
new file mode 100644
index 0000000..53418a5
--- /dev/null
+++ b/charts/glance/templates/bin/_nginx.sh.tpl
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -xe
+
+COMMAND="${@:-start}"
+
+start () {
+ envsubst < /etc/nginx/nginx.conf > /tmp/nginx.conf
+ cat /tmp/nginx.conf
+ nginx -t -c /tmp/nginx.conf
+ exec nginx -c /tmp/nginx.conf
+}
+
+stop () {
+ nginx -s stop
+}
+
+$COMMAND
diff --git a/charts/glance/templates/bin/_storage-init.sh.tpl b/charts/glance/templates/bin/_storage-init.sh.tpl
new file mode 100644
index 0000000..cf6fecb
--- /dev/null
+++ b/charts/glance/templates/bin/_storage-init.sh.tpl
@@ -0,0 +1,102 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+if [ "x$STORAGE_BACKEND" == "xrbd" ]; then
+ SECRET=$(mktemp --suffix .yaml)
+ KEYRING=$(mktemp --suffix .keyring)
+ function cleanup {
+ rm -f "${SECRET}" "${KEYRING}"
+ }
+ trap cleanup EXIT
+fi
+
+SCHEME={{ tuple "object_store" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+if [[ "$SCHEME" == "https" && -f /etc/ssl/certs/openstack-helm.crt ]]; then
+ export CURL_CA_BUNDLE="/etc/ssl/certs/openstack-helm.crt"
+fi
+
+set -ex
+if [ "x$STORAGE_BACKEND" == "xpvc" ]; then
+ echo "No action required."
+elif [ "x$STORAGE_BACKEND" == "xswift" ]; then
+ : ${OS_INTERFACE:="internal"}
+ OS_TOKEN="$(openstack token issue -f value -c id)"
+ OS_PROJECT_ID="$(openstack project show service -f value -c id)"
+ OS_SWIFT_ENDPOINT_PREFIX="$(openstack endpoint list --service swift --interface ${OS_INTERFACE} -f value -c URL | awk -F '$' '{ print $1 }')"
+ OS_SWIFT_SCOPED_ENDPOINT="${OS_SWIFT_ENDPOINT_PREFIX}${OS_PROJECT_ID}"
+ curl --fail -i -X POST "${OS_SWIFT_SCOPED_ENDPOINT}" \
+ -H "X-Auth-Token: ${OS_TOKEN}" \
+ -H "X-Account-Meta-Temp-URL-Key: ${SWIFT_TMPURL_KEY}"
+elif [ "x$STORAGE_BACKEND" == "xrbd" ]; then
+ ceph -s
+ function ensure_pool () {
+ ceph osd pool stats "$1" || ceph osd pool create "$1" "$2"
+ local test_version
+ if [[ $(ceph mgr versions | awk '/version/{print $3}' | cut -d. -f1) -ge 12 ]]; then
+ ceph osd pool application enable $1 $3
+ fi
+ ceph osd pool set "$1" size "${RBD_POOL_REPLICATION}"
+ ceph osd pool set "$1" crush_rule "${RBD_POOL_CRUSH_RULE}"
+ }
+ ensure_pool "${RBD_POOL_NAME}" "${RBD_POOL_CHUNK_SIZE}" "${RBD_POOL_APP_NAME}"
+
+ if USERINFO=$(ceph auth get "client.${RBD_POOL_USER}"); then
+ echo "Cephx user client.${RBD_POOL_USER} already exist."
+ echo "Update its cephx caps"
+ ceph auth caps client.${RBD_POOL_USER} \
+ mon "profile rbd" \
+ osd "profile rbd pool=${RBD_POOL_NAME}"
+ ceph auth get client.${RBD_POOL_USER} -o ${KEYRING}
+ else
+ #NOTE(JCL): Restrict Glance user to only what is needed. MON Read only and RBD access to the Glance Pool
+ ceph auth get-or-create "client.${RBD_POOL_USER}" \
+ mon "profile rbd" \
+ osd "profile rbd pool=${RBD_POOL_NAME}" \
+ -o "${KEYRING}"
+ fi
+
+ ENCODED_KEYRING=$(sed -n 's/^[[:blank:]]*key[[:blank:]]\+=[[:blank:]]\(.*\)/\1/p' "${KEYRING}" | base64 -w0)
+ cat > "${SECRET}" <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+ name: "${RBD_POOL_SECRET}"
+type: kubernetes.io/rbd
+data:
+ key: "${ENCODED_KEYRING}"
+EOF
+ kubectl apply --namespace "${NAMESPACE}" -f "${SECRET}"
+elif [ "x${STORAGE_BACKEND}" == "xradosgw" ]; then
+ radosgw-admin user stats --uid="${RADOSGW_USERNAME}" || \
+ radosgw-admin user create \
+ --uid="${RADOSGW_USERNAME}" \
+ --display-name="${RADOSGW_USERNAME} user"
+
+ radosgw-admin subuser create \
+ --uid="${RADOSGW_USERNAME}" \
+ --subuser="${RADOSGW_USERNAME}:swift" \
+ --access=full
+
+ radosgw-admin key create \
+ --subuser="${RADOSGW_USERNAME}:swift" \
+ --key-type=swift \
+ --secret="${RADOSGW_PASSWORD}"
+
+ radosgw-admin user modify \
+ --uid="${RADOSGW_USERNAME}" \
+ --temp-url-key="${RADOSGW_TMPURL_KEY}"
+fi
diff --git a/charts/glance/templates/certificates.yaml b/charts/glance/templates/certificates.yaml
new file mode 100644
index 0000000..deb2a23
--- /dev/null
+++ b/charts/glance/templates/certificates.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{ dict "envAll" . "service" "image" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/charts/glance/templates/configmap-bin.yaml b/charts/glance/templates/configmap-bin.yaml
new file mode 100644
index 0000000..600681b
--- /dev/null
+++ b/charts/glance/templates/configmap-bin.yaml
@@ -0,0 +1,70 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: glance-bin
+data:
+{{- if eq .Values.storage "cinder" }}
+ iscsiadm: |
+{{ tuple "bin/_iscsiadm.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ multipath: |
+{{ tuple "bin/_multipath.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ multipathd: |
+{{ tuple "bin/_multipathd.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+ bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+ rally-test.sh: |
+{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+ storage-init.sh: |
+{{ tuple "bin/_storage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ metadefs-load.sh: |
+{{ tuple "bin/_metadefs-load.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+ db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+ ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+ ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+ ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+ glance-api.sh: |
+{{ tuple "bin/_glance-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ ceph-keyring.sh: |
+{{ tuple "bin/_ceph-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ ceph-admin-keyring.sh: |
+{{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ clean-image.sh: |
+{{ tuple "bin/_clean-image.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ clean-secrets.sh: |
+{{ tuple "bin/_clean-secrets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+{{- if .Values.manifests.certificates }}
+ nginx.sh: |
+{{ tuple "bin/_nginx.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/templates/configmap-etc.yaml b/charts/glance/templates/configmap-etc.yaml
new file mode 100644
index 0000000..0ee2606
--- /dev/null
+++ b/charts/glance/templates/configmap-etc.yaml
@@ -0,0 +1,156 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.glance.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.glance.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.glance.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "region_name" .Values.endpoints.identity.auth.glance.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "project_name" .Values.endpoints.identity.auth.glance.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.glance.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.glance.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "username" .Values.endpoints.identity.auth.glance.username -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "password" .Values.endpoints.identity.auth.glance.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.glance.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.database.connection -}}
+{{- $connection := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.glance.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.glance.database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "glance" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.glance.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.DEFAULT.public_endpoint -}}
+{{- $_ := tuple "image" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.glance.DEFAULT "public_endpoint" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.glance_store.stores -}}
+{{- if eq .Values.storage "rbd" }}
+{{- $_ := "file, http, rbd" | set .Values.conf.glance.glance_store "stores" -}}
+{{- end -}}
+{{- if eq .Values.storage "pvc" }}
+{{- $_ := "file, http" | set .Values.conf.glance.glance_store "stores" -}}
+{{- end -}}
+{{ if or (eq .Values.storage "radosgw") (eq .Values.storage "swift") }}
+{{- $_ := "file, http, swift" | set .Values.conf.glance.glance_store "stores" -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.glance_store.default_store -}}
+{{- if eq .Values.storage "rbd" }}
+{{- $_ := "rbd" | set .Values.conf.glance.glance_store "default_store" -}}
+{{- end -}}
+{{- if eq .Values.storage "pvc" }}
+{{- $_ := "file" | set .Values.conf.glance.glance_store "default_store" -}}
+{{- end -}}
+{{ if or (eq .Values.storage "radosgw") (eq .Values.storage "swift") }}
+{{- $_ := "swift" | set .Values.conf.glance.glance_store "default_store" -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.DEFAULT.bind_port -}}
+{{- $_ := tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.glance.DEFAULT "bind_port" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance.cors.allowed_origin -}}
+{{- $endpointScheme := tuple "dashboard" "public" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple "dashboard" "public" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple "dashboard" "public" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{- if eq $endpointPort "80" "443" -}}
+ {{/*
+ Common browsers don't add default ports like 80 and 443 to the headers
+ and URLs therefore CORS should allow to use URLs both with 80,443 and
+ without it in the URL.
+ */}}
+ {{- $_ := set $envAll.Values.conf.glance.cors "allowed_origin" ( list ) }}
+ {{- $__allowed_origin := append $envAll.Values.conf.glance.cors.allowed_origin (printf "%s://%s" $endpointScheme $endpointHost) }}
+ {{- $_ := set $envAll.Values.conf.glance.cors "allowed_origin" $__allowed_origin }}
+ {{- $__allowed_origin := append $envAll.Values.conf.glance.cors.allowed_origin (printf "%s://%s:%s" $endpointScheme $endpointHost $endpointPort) }}
+ {{- $_ := set $envAll.Values.conf.glance.cors "allowed_origin" $__allowed_origin }}
+ {{- else }}
+ {{- printf "%s://%s:%s" $endpointScheme $endpointHost $endpointPort | set .Values.conf.glance.cors "allowed_origin" }}
+ {{- end }}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: glance-etc
+type: Opaque
+data:
+ rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
+ glance-api.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.glance | b64enc }}
+ logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+ glance-api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
+ policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+ api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
+ glance_sudoers: {{ $envAll.Values.conf.glance_sudoers | b64enc }}
+ rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
+{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+{{- $filePrefix := replace "_" "-" $key }}
+ {{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}
+{{- end }}
+{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.nginx "key" "nginx.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
diff --git a/charts/glance/templates/deployment-api.yaml b/charts/glance/templates/deployment-api.yaml
new file mode 100644
index 0000000..9c26c74
--- /dev/null
+++ b/charts/glance/templates/deployment-api.yaml
@@ -0,0 +1,368 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_glance_api := .Values.pod.mounts.glance_api.glance_api }}
+{{- $mounts_glance_api_init := .Values.pod.mounts.glance_api.init_container }}
+
+{{- $serviceAccountName := "glance-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: glance-api
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.api }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "glance-api" "containerNames" ( list "glance-perms" "glance-api" "init" "nginx" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "glance" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.glance.enabled }}
+{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+{{- if .Values.pod.useHostNetwork.api }}
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+{{- if eq .Values.storage "cinder" }}
+ hostIPC: true
+{{- end }}
+ initContainers:
+{{ tuple $envAll "api" $mounts_glance_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: glance-perms
+{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "glance" "container" "glance_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - chown
+ - -R
+ - "glance:"
+ - {{ .Values.conf.glance.glance_store.filesystem_store_datadir }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: glance-images
+ mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }}
+ {{ if eq .Values.storage "rbd" }}
+ - name: ceph-keyring-placement
+{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "glance" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: RBD_STORE_USER
+ value: {{ .Values.conf.glance.glance_store.rbd_store_user | quote }}
+ command:
+ - /tmp/ceph-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: glance-bin
+ mountPath: /tmp/ceph-keyring.sh
+ subPath: ceph-keyring.sh
+ readOnly: true
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ {{- if $envAll.Values.manifests.certificates }}
+ - name: nginx
+{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "glance" "container" "nginx" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ ports:
+ - name: g-api
+ containerPort: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ env:
+ - name: PORT
+ value: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SHORTNAME
+ value: {{ tuple "image" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ command:
+ - /tmp/nginx.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/nginx.sh
+ - stop
+ volumeMounts:
+ - name: glance-bin
+ mountPath: /tmp/nginx.sh
+ subPath: nginx.sh
+ readOnly: true
+ - name: glance-etc
+ mountPath: /etc/nginx/nginx.conf
+ subPath: nginx.conf
+ readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ {{- end }}
+ - name: glance-api
+{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "glance" "container" "glance_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/glance-api.sh
+ - start
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+ env:
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/glance/certs/ca.crt"
+{{- end }}
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/glance-api.sh
+ - stop
+ {{- if $envAll.Values.manifests.certificates }}
+ readinessProbe:
+ exec:
+ command:
+ - python
+ - -c
+ - "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
+ livenessProbe:
+ exec:
+ command:
+ - python
+ - -c
+ - "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
+ initialDelaySeconds: 30
+ {{- else }}
+ ports:
+ - name: g-api
+ containerPort: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ readinessProbe:
+ httpGet:
+ scheme: HTTP
+ path: /
+ port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ livenessProbe:
+ httpGet:
+ scheme: HTTP
+ path: /
+ port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{- end }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: glance-tmp
+ mountPath: /var/lib/glance/tmp
+ - name: etcglance
+ mountPath: /etc/glance
+ - name: glance-bin
+ mountPath: /tmp/glance-api.sh
+ subPath: glance-api.sh
+ readOnly: true
+ - name: glance-etc
+ mountPath: /etc/glance/glance-api.conf
+ subPath: glance-api.conf
+ readOnly: true
+ {{- if .Values.conf.glance.DEFAULT.log_config_append }}
+ - name: glance-etc
+ mountPath: {{ .Values.conf.glance.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.glance.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: glance-etc
+ mountPath: /etc/glance/glance-api-paste.ini
+ subPath: glance-api-paste.ini
+ readOnly: true
+ - name: glance-etc
+ mountPath: /etc/glance/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: glance-etc
+ mountPath: /etc/glance/api_audit_map.conf
+ subPath: api_audit_map.conf
+ readOnly: true
+ - name: glance-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_glance_sudoers
+ subPath: glance_sudoers
+ readOnly: true
+ - name: glance-etc
+ mountPath: /etc/glance/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "api" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/glance/rootwrap.d/%s.filters" $filePrefix }}
+ - name: glance-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ - name: glance-etc
+ mountPath: {{ .Values.conf.glance.glance_store.swift_store_config_file }}
+ subPath: swift-store.conf
+ readOnly: true
+ - name: glance-images
+ mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }}
+{{- if eq .Values.storage "cinder" }}
+ - name: host-rootfs
+ mountPath: /mnt/host-rootfs
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: HostToContainer
+ {{- end }}
+ - name: host-dev
+ mountPath: /dev
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: HostToContainer
+ {{- end }}
+ - name: runlock
+ mountPath: /run/lock
+ - name: etciscsi
+ mountPath: /etc/iscsi
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: HostToContainer
+ {{- end }}
+ - name: usrlocalsbin
+ mountPath: /usr/local/sbin
+ - name: glance-bin
+ mountPath: /usr/local/sbin/iscsiadm
+ subPath: iscsiadm
+ - name: glance-bin
+ mountPath: /usr/local/sbin/multipath
+ subPath: multipath
+ - name: glance-bin
+ mountPath: /usr/local/sbin/multipathd
+ subPath: multipathd
+ - name: etcmultipath
+ mountPath: /etc/multipath
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: Bidirectional
+ {{- end }}
+ - name: sys
+ mountPath: /sys
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: HostToContainer
+ {{- end }}
+{{- end }}
+{{- if eq .Values.storage "rbd" }}
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+{{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: glance-tmp
+ emptyDir: {}
+ - name: etcglance
+ emptyDir: {}
+ - name: glance-bin
+ configMap:
+ name: glance-bin
+ defaultMode: 0555
+ - name: glance-etc
+ secret:
+ secretName: glance-etc
+ defaultMode: 0444
+{{- if eq .Values.storage "pvc" }}
+ - name: glance-images
+ persistentVolumeClaim:
+ claimName: glance-images
+{{ else }}
+ - name: glance-images
+ emptyDir: {}
+{{- end }}
+{{- if eq .Values.storage "rbd" }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ .Values.ceph_client.configmap }}
+ defaultMode: 0444
+ - name: ceph-keyring
+ secret:
+ secretName: {{ .Values.secrets.rbd | quote }}
+{{- end }}
+{{- if eq .Values.storage "cinder" }}
+ - name: host-rootfs
+ hostPath:
+ path: /
+ - name: host-dev
+ hostPath:
+ path: /dev
+ - name: runlock
+ hostPath:
+ path: /run/lock
+ - name: etciscsi
+ hostPath:
+ path: /etc/iscsi
+ - name: usrlocalsbin
+ emptyDir: {}
+ - name: etcmultipath
+ hostPath:
+ path: /etc/multipath
+ - name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/glance/templates/ingress-api.yaml b/charts/glance/templates/ingress-api.yaml
new file mode 100644
index 0000000..939855e
--- /dev/null
+++ b/charts/glance/templates/ingress-api.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "image" "backendPort" "g-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.image.api.internal -}}
+{{- if and .Values.manifests.certificates $secretName -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/glance/templates/job-bootstrap.yaml b/charts/glance/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..56bebfc
--- /dev/null
+++ b/charts/glance/templates/job-bootstrap.yaml
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+
+{{- define "glance.templates._job_bootstrap.pod_volumes" -}}
+{{- $envAll := index . 0 -}}
+volumeMounts:
+ - name: imagedir
+ mountPath: /tmp/images
+volumes:
+ - name: imagedir
+ emptyDir: {}
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/glance/templates/job-clean.yaml b/charts/glance/templates/job-clean.yaml
new file mode 100644
index 0000000..26977c0
--- /dev/null
+++ b/charts/glance/templates/job-clean.yaml
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_clean }}
+{{- $envAll := . }}
+{{- if .Values.bootstrap.enabled }}
+
+{{- $serviceAccountName := print "glance-clean" }}
+{{ tuple $envAll "clean" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ print "glance-clean" }}
+ labels:
+{{ tuple $envAll "glance" "clean" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "glance" "clean" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "clean" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.glance.enabled }}
+{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "clean" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ {{- if eq .Values.storage "rbd" }}
+ - name: glance-secret-clean
+{{ tuple $envAll "glance_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "clean" "container" "glance_secret_clean" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: RBD_POOL_SECRET
+ value: {{ .Values.secrets.rbd | quote }}
+ command:
+ - /tmp/clean-secrets.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: glance-bin
+ mountPath: /tmp/clean-secrets.sh
+ subPath: clean-secrets.sh
+ readOnly: true
+ {{ end }}
+ - name: glance-image-clean
+{{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ command:
+ - /tmp/clean-image.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: glance-bin
+ mountPath: /tmp/clean-image.sh
+ subPath: clean-image.sh
+ readOnly: true
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: glance-bin
+ configMap:
+ name: glance-bin
+ defaultMode: 0555
+{{- end }}
+{{- end }}
diff --git a/charts/glance/templates/job-db-drop.yaml b/charts/glance/templates/job-db-drop.yaml
new file mode 100644
index 0000000..66f3a18
--- /dev/null
+++ b/charts/glance/templates/job-db-drop.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $serviceName := "glance" -}}
+{{- $dbToDrop := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}}
+{{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbToDrop" $dbToDrop -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbToDrop "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/glance/templates/job-db-init.yaml b/charts/glance/templates/job-db-init.yaml
new file mode 100644
index 0000000..6f79781
--- /dev/null
+++ b/charts/glance/templates/job-db-init.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $serviceName := "glance" -}}
+{{- $dbToInit := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}}
+{{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbToInit" $dbToInit -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/glance/templates/job-db-sync.yaml b/charts/glance/templates/job-db-sync.yaml
new file mode 100644
index 0000000..1434edd
--- /dev/null
+++ b/charts/glance/templates/job-db-sync.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" "glance" "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" "glance" ) "image" ( index .Values.images.tags ( printf "%s_db_sync" "glance" )) ) -}}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "glance" "podVolMounts" .Values.pod.mounts.glance_db_sync.glance_db_sync.volumeMounts "podVols" .Values.pod.mounts.glance_db_sync.glance_db_sync.volumes "dbToSync" $dbToSync -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/glance/templates/job-image-repo-sync.yaml b/charts/glance/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..dc9d322
--- /dev/null
+++ b/charts/glance/templates/job-image-repo-sync.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "glance" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/glance/templates/job-ks-endpoints.yaml b/charts/glance/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..fe761a3
--- /dev/null
+++ b/charts/glance/templates/job-ks-endpoints.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/glance/templates/job-ks-service.yaml b/charts/glance/templates/job-ks-service.yaml
new file mode 100644
index 0000000..8aaef78
--- /dev/null
+++ b/charts/glance/templates/job-ks-service.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/glance/templates/job-ks-user.yaml b/charts/glance/templates/job-ks-user.yaml
new file mode 100644
index 0000000..7f646e3
--- /dev/null
+++ b/charts/glance/templates/job-ks-user.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/glance/templates/job-metadefs-load.yaml b/charts/glance/templates/job-metadefs-load.yaml
new file mode 100644
index 0000000..1c2efaa
--- /dev/null
+++ b/charts/glance/templates/job-metadefs-load.yaml
@@ -0,0 +1,97 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_metadefs_load }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "glance-metadefs-load" }}
+{{ tuple $envAll "metadefs_load" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: glance-metadefs-load
+ labels:
+{{ tuple $envAll "glance" "metadefs-load" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+{{- if .Values.helm3_hook }}
+ helm.sh/hook: post-install,post-upgrade
+{{- end }}
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "glance" "metadefs_load" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "glance-metadefs-load" "containerNames" (list "init" "glance-metadefs-load" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "metadefs_load" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.glance.enabled }}
+{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "metadefs_load" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: glance-metadefs-load
+{{ tuple $envAll "glance_metadefs_load" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.metadefs_load | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "metadefs_load" "container" "glance_metadefs_load" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ command:
+ - /tmp/metadefs-load.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: glance-bin
+ mountPath: /tmp/metadefs-load.sh
+ subPath: metadefs-load.sh
+ readOnly: true
+ - name: etcglance
+ mountPath: /etc/glance
+ - name: glance-etc
+ mountPath: /etc/glance/glance-api.conf
+ subPath: glance-api.conf
+ readOnly: true
+ {{- if .Values.conf.glance.DEFAULT.log_config_append }}
+ - name: glance-etc
+ mountPath: {{ .Values.conf.glance.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.glance.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: glance-bin
+ configMap:
+ name: glance-bin
+ defaultMode: 0555
+ - name: etcglance
+ emptyDir: {}
+ - name: glance-etc
+ secret:
+ secretName: glance-etc
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/glance/templates/job-rabbit-init.yaml b/charts/glance/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..6bd14d6
--- /dev/null
+++ b/charts/glance/templates/job-rabbit-init.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "glance" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.glance.enabled -}}
+{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/glance/templates/job-storage-init.yaml b/charts/glance/templates/job-storage-init.yaml
new file mode 100644
index 0000000..d8aee23
--- /dev/null
+++ b/charts/glance/templates/job-storage-init.yaml
@@ -0,0 +1,198 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_storage_init }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "glance-storage-init" }}
+{{ tuple $envAll "storage_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - create
+ - update
+ - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: glance-storage-init
+ labels:
+{{ tuple $envAll "glance" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+{{- if .Values.helm3_hook }}
+ helm.sh/hook: post-install,post-upgrade
+{{- end }}
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "glance" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "glance-storage-init" "containerNames" (list "init" "glance-storage-init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "storage_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.glance.enabled }}
+{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "storage_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ {{ if or (eq .Values.storage "rbd") (eq .Values.storage "radosgw") }}
+ - name: ceph-keyring-placement
+{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "storage_init" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: glance-bin
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty .Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ {{ end }}
+ containers:
+ - name: glance-storage-init
+{{ tuple $envAll "glance_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.storage_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "storage_init" "container" "glance_storage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: STORAGE_BACKEND
+ value: {{ .Values.storage | quote }}
+ {{- if eq .Values.storage "rbd" }}
+ - name: RBD_POOL_NAME
+ value: {{ .Values.conf.glance.glance_store.rbd_store_pool | quote }}
+ - name: RBD_POOL_APP_NAME
+ value: {{ .Values.conf.software.rbd.rbd_store_pool_app_name | quote }}
+ - name: RBD_POOL_USER
+ value: {{ .Values.conf.glance.glance_store.rbd_store_user | quote }}
+ - name: RBD_POOL_REPLICATION
+ value: {{ .Values.conf.glance.glance_store.rbd_store_replication | quote }}
+ - name: RBD_POOL_CRUSH_RULE
+ value: {{ .Values.conf.glance.glance_store.rbd_store_crush_rule | quote }}
+ - name: RBD_POOL_CHUNK_SIZE
+ value: {{ .Values.conf.glance.glance_store.rbd_store_chunk_size | quote }}
+ - name: RBD_POOL_SECRET
+ value: {{ .Values.secrets.rbd | quote }}
+ {{ end }}
+ {{- if eq .Values.storage "radosgw" }}
+ - name: RADOSGW_USERNAME
+ value: {{ .Values.endpoints.ceph_object_store.auth.glance.username | quote }}
+ - name: RADOSGW_PASSWORD
+ value: {{ .Values.endpoints.ceph_object_store.auth.glance.password | quote }}
+ - name: RADOSGW_TMPURL_KEY
+ value: {{ .Values.endpoints.ceph_object_store.auth.glance.tmpurlkey | quote }}
+ {{ end }}
+ {{- if eq .Values.storage "swift" }}
+ - name: SWIFT_TMPURL_KEY
+ value: {{ .Values.endpoints.object_store.auth.glance.tmpurlkey | quote }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.glance "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ {{ end }}
+ command:
+ - /tmp/storage-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: glance-bin
+ mountPath: /tmp/storage-init.sh
+ subPath: storage-init.sh
+ readOnly: true
+ {{ if or (eq .Values.storage "rbd") (eq .Values.storage "radosgw") }}
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty .Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ {{ end }}
+ {{- if eq .Values.storage "pvc" }}
+ - name: glance-images
+ mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }}
+ {{ end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: glance-bin
+ configMap:
+ name: glance-bin
+ defaultMode: 0555
+ {{ if or (eq .Values.storage "rbd") (eq .Values.storage "radosgw") }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ .Values.ceph_client.configmap }}
+ defaultMode: 0444
+ {{- if empty .Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: {{ .Values.ceph_client.user_secret_name }}
+ {{ end }}
+ {{ end }}
+ {{- if eq .Values.storage "pvc" }}
+ - name: glance-images
+ persistentVolumeClaim:
+ claimName: glance-images
+ {{ end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/glance/templates/network_policy.yaml b/charts/glance/templates/network_policy.yaml
new file mode 100644
index 0000000..f7fe79c
--- /dev/null
+++ b/charts/glance/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "glance" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/glance/templates/pdb-api.yaml b/charts/glance/templates/pdb-api.yaml
new file mode 100644
index 0000000..0b27650
--- /dev/null
+++ b/charts/glance/templates/pdb-api.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: glance-api
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/glance/templates/pod-rally-test.yaml b/charts/glance/templates/pod-rally-test.yaml
new file mode 100644
index 0000000..0ca17eb
--- /dev/null
+++ b/charts/glance/templates/pod-rally-test.yaml
@@ -0,0 +1,125 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
+{{- if .Values.manifests.pod_rally_test }}
+{{- $envAll := . }}
+
+{{- $mounts_tests := .Values.pod.mounts.glance_tests.glance_tests }}
+{{- $mounts_tests_init := .Values.pod.mounts.glance_tests.init_container }}
+
+{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ print $envAll.Chart.Name "-test" }}
+ labels:
+{{ tuple $envAll "glance" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ "helm.sh/hook": test-success
+{{ dict "envAll" $envAll "podName" "glance-test" "containerNames" (list "init" "glance-test" "glance-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+{{ if $envAll.Values.pod.tolerations.glance.enabled }}
+{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
+ restartPolicy: Never
+ serviceAccountName: {{ $serviceAccountName }}
+ initContainers:
+{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+ - name: glance-test-ks-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "glance_test_ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
+ command:
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: glance-bin
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: "test"
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: SERVICE_OS_ROLE
+ value: {{ .Values.endpoints.identity.auth.test.role | quote }}
+ containers:
+ - name: glance-test
+{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "glance_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: RALLY_ENV_NAME
+ value: {{.Chart.Name}}
+ command:
+ - /tmp/rally-test.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: glance-etc
+ mountPath: /etc/rally/rally_tests.yaml
+ subPath: rally_tests.yaml
+ readOnly: true
+ - name: glance-bin
+ mountPath: /tmp/rally-test.sh
+ subPath: rally-test.sh
+ readOnly: true
+ - name: rally-db
+ mountPath: /var/lib/rally
+ - name: rally-work
+ mountPath: /home/rally/.rally
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: glance-etc
+ secret:
+ secretName: glance-etc
+ defaultMode: 0444
+ - name: glance-bin
+ configMap:
+ name: glance-bin
+ defaultMode: 0555
+ - name: rally-db
+ emptyDir: {}
+ - name: rally-work
+ emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/glance/templates/pvc-images.yaml b/charts/glance/templates/pvc-images.yaml
new file mode 100644
index 0000000..bd86d68
--- /dev/null
+++ b/charts/glance/templates/pvc-images.yaml
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pvc_images }}
+{{- $envAll := . }}
+{{- if eq .Values.storage "pvc" }}
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: glance-images
+spec:
+ accessModes: [ "ReadWriteOnce" ]
+ resources:
+ requests:
+ storage: {{ .Values.volume.size }}
+ storageClassName: {{ .Values.volume.class_name }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/templates/secret-db.yaml b/charts/glance/templates/secret-db.yaml
new file mode 100644
index 0000000..0a1085d
--- /dev/null
+++ b/charts/glance/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "glance" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+ DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+ DB_CONNECTION: {{ $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/templates/secret-ingress-tls.yaml b/charts/glance/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..b83f638
--- /dev/null
+++ b/charts/glance/templates/secret-ingress-tls.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "image" ) }}
+{{- end }}
diff --git a/charts/glance/templates/secret-keystone.yaml b/charts/glance/templates/secret-keystone.yaml
new file mode 100644
index 0000000..fc6cc6a
--- /dev/null
+++ b/charts/glance/templates/secret-keystone.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "glance" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/templates/secret-rabbitmq.yaml b/charts/glance/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..aba7639
--- /dev/null
+++ b/charts/glance/templates/secret-rabbitmq.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- $rabbitmqProtocol := "http" }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- $rabbitmqProtocol = "https" }}
+{{- end }}
+{{- range $key1, $userClass := tuple "admin" "glance" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/glance/templates/secret-registry.yaml b/charts/glance/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/glance/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/glance/templates/service-api.yaml b/charts/glance/templates/service-api.yaml
new file mode 100644
index 0000000..f2cbadf
--- /dev/null
+++ b/charts/glance/templates/service-api.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "image" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: g-api
+ port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.api.node_port.enabled }}
+ nodePort: {{ .Values.network.api.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.api.node_port.enabled }}
+ type: NodePort
+ {{ if .Values.network.api.external_policy_local }}
+ externalTrafficPolicy: Local
+ {{ end }}
+ {{ end }}
+{{- end }}
diff --git a/charts/glance/templates/service-ingress-api.yaml b/charts/glance/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..965d26b
--- /dev/null
+++ b/charts/glance/templates/service-ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "image" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/glance/values.yaml b/charts/glance/values.yaml
new file mode 100644
index 0000000..69f703e
--- /dev/null
+++ b/charts/glance/values.yaml
@@ -0,0 +1,1009 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for glance.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+# radosgw, rbd, swift or pvc
+---
+storage: swift
+
+labels:
+ api:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ job:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ test:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+release_group: null
+
+images:
+ tags:
+ test: docker.io/xrally/xrally-openstack:2.0.0
+ glance_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_xenial
+ glance_metadefs_load: docker.io/openstackhelm/glance:wallaby-ubuntu_focal
+ db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ glance_db_sync: docker.io/openstackhelm/glance:wallaby-ubuntu_focal
+ db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ rabbit_init: docker.io/rabbitmq:3.7-management
+ glance_api: docker.io/openstackhelm/glance:wallaby-ubuntu_focal
+ # Bootstrap image requires curl
+ bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ image_repo_sync: docker.io/docker:17.07.0
+ pull_policy: "IfNotPresent"
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+bootstrap:
+ enabled: true
+ ks_user: admin
+ script: null
+ structured:
+ images:
+ cirros:
+ id: null
+ name: "Cirros 0.3.5 64-bit"
+ source_url: "http://download.cirros-cloud.net/0.3.5/"
+ image_file: "cirros-0.3.5-x86_64-disk.img"
+ min_disk: 1
+ image_type: qcow2
+ container_format: bare
+ private: true
+ properties:
+ # NOTE: If you want to restrict hypervisor type for this image,
+ # uncomment this and write specific hypervisor type.
+ # hypervisor_type: "qemu"
+ os_distro: "cirros"
+
+ceph_client:
+ configmap: ceph-etc
+ user_secret_name: pvc-ceph-client-key
+
+network_policy:
+ glance:
+ ingress:
+ - {}
+ egress:
+ - {}
+
+conf:
+ software:
+ rbd:
+ rbd_store_pool_app_name: glance-image
+ rally_tests:
+ run_tempest: false
+ tests:
+ GlanceImages.create_and_delete_image:
+ - args:
+ container_format: bare
+ disk_format: qcow2
+ # NOTE(aostapenko) temporary location to work around https://bugs.launchpad.net/rally/+bug/1887705
+ image_location: https://artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/external/images/cirros/0.3.5/cirros-0.3.5-x86_64-disk.img
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ GlanceImages.create_and_list_image:
+ - args:
+ container_format: bare
+ disk_format: qcow2
+ # NOTE(aostapenko) temporary location to work around https://bugs.launchpad.net/rally/+bug/1887705
+ image_location: https://artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/external/images/cirros/0.3.5/cirros-0.3.5-x86_64-disk.img
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ ceph:
+ monitors: []
+ admin_keyring: null
+ override:
+ append:
+ ceph_client:
+ override:
+ append:
+ paste:
+ pipeline:glance-api:
+ pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context rootapp
+ pipeline:glance-api-caching:
+ pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache rootapp
+ pipeline:glance-api-cachemanagement:
+ pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
+ pipeline:glance-api-keystone:
+ pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context rootapp
+ pipeline:glance-api-keystone+caching:
+ pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context cache rootapp
+ pipeline:glance-api-keystone+cachemanagement:
+ pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context cache cachemanage rootapp
+ pipeline:glance-api-trusted-auth:
+ pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context rootapp
+ pipeline:glance-api-trusted-auth+cachemanagement:
+ pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context cache cachemanage rootapp
+ composite:rootapp:
+ paste.composite_factory: glance.api:root_app_factory
+ /: apiversions
+ /v1: apiv1app
+ /v2: apiv2app
+ app:apiversions:
+ paste.app_factory: glance.api.versions:create_resource
+ app:apiv1app:
+ paste.app_factory: glance.api.v1.router:API.factory
+ app:apiv2app:
+ paste.app_factory: glance.api.v2.router:API.factory
+ filter:healthcheck:
+ paste.filter_factory: oslo_middleware:Healthcheck.factory
+ backends: disable_by_file
+ disable_by_file_path: /etc/glance/healthcheck_disable
+ filter:versionnegotiation:
+ paste.filter_factory: glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory
+ filter:cache:
+ paste.filter_factory: glance.api.middleware.cache:CacheFilter.factory
+ filter:cachemanage:
+ paste.filter_factory: glance.api.middleware.cache_manage:CacheManageFilter.factory
+ filter:context:
+ paste.filter_factory: glance.api.middleware.context:ContextMiddleware.factory
+ filter:unauthenticated-context:
+ paste.filter_factory: glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
+ filter:authtoken:
+ paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+ delay_auth_decision: true
+ filter:audit:
+ paste.filter_factory: keystonemiddleware.audit:filter_factory
+ audit_map_file: /etc/glance/api_audit_map.conf
+ filter:gzip:
+ paste.filter_factory: glance.api.middleware.gzip:GzipMiddleware.factory
+ filter:osprofiler:
+ paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
+ hmac_keys: SECRET_KEY # DEPRECATED
+ enabled: yes # DEPRECATED
+ filter:cors:
+ paste.filter_factory: oslo_middleware.cors:filter_factory
+ oslo_config_project: glance
+ oslo_config_program: glance-api
+ filter:http_proxy_to_wsgi:
+ paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
+ policy: {}
+ glance_sudoers: |
+ # This sudoers file supports rootwrap for both Kolla and LOCI Images.
+ Defaults !requiretty
+ Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
+ glance ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/glance-rootwrap /etc/glance/rootwrap.conf *, /var/lib/openstack/bin/glance-rootwrap /etc/glance/rootwrap.conf *
+ rootwrap: |
+ # Configuration for glance-rootwrap
+ # This file should be owned by (and only-writable by) the root user
+
+ [DEFAULT]
+ # List of directories to load filter definitions from (separated by ',').
+ # These directories MUST all be only writeable by root !
+ filters_path=/etc/glance/rootwrap.d,/usr/share/glance/rootwrap
+
+ # List of directories to search executables in, in case filters do not
+ # explicitely specify a full path (separated by ',')
+ # If not specified, defaults to system PATH environment variable.
+ # These directories MUST all be only writeable by root !
+ exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
+
+ # Enable logging to syslog
+ # Default value is False
+ use_syslog=False
+
+ # Which syslog facility to use.
+ # Valid values include auth, authpriv, syslog, local0, local1...
+ # Default value is 'syslog'
+ syslog_log_facility=syslog
+
+ # Which messages to log.
+ # INFO means log all usage
+ # ERROR means only log unsuccessful attempts
+ syslog_log_level=ERROR
+ rootwrap_filters:
+ glance_cinder_store:
+ pods:
+ - api
+ content: |
+ # glance-rootwrap command filters for glance cinder store
+ # This file should be owned by (and only-writable by) the root user
+
+ [Filters]
+ # cinder store driver
+ disk_chown: RegExpFilter, chown, root, chown, \d+, /dev/(?!.*/\.\.).*
+
+ # os-brick library commands
+ # os_brick.privileged.run_as_root oslo.privsep context
+ # This line ties the superuser privs with the config files, context name,
+ # and (implicitly) the actual python code invoked.
+ privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
+
+ chown: CommandFilter, chown, root
+ mount: CommandFilter, mount, root
+ umount: CommandFilter, umount, root
+ glance:
+ DEFAULT:
+ log_config_append: /etc/glance/logging.conf
+ # NOTE(portdirect): the bind port should not be defined, and is manipulated
+ # via the endpoints section.
+ bind_port: null
+ workers: 1
+ enable_v1_api: False
+ oslo_middleware:
+ enable_proxy_headers_parsing: true
+ keystone_authtoken:
+ auth_type: password
+ auth_version: v3
+ memcache_security_strategy: ENCRYPT
+ glance_store:
+ cinder_catalog_info: volumev3::internalURL
+ rbd_store_chunk_size: 8
+ rbd_store_replication: 3
+ rbd_store_crush_rule: replicated_rule
+ rbd_store_pool: glance.images
+ rbd_store_user: glance
+ rbd_store_ceph_conf: /etc/ceph/ceph.conf
+ filesystem_store_datadir: /var/lib/glance/images
+ default_swift_reference: ref1
+ swift_store_container: glance
+ swift_store_create_container_on_put: true
+ swift_store_config_file: /etc/glance/swift-store.conf
+ swift_store_endpoint_type: internalURL
+ paste_deploy:
+ flavor: keystone
+ database:
+ max_retries: -1
+ oslo_concurrency:
+ lock_path: "/var/lib/glance/tmp"
+ oslo_messaging_notifications:
+ driver: messagingv2
+ oslo_messaging_rabbit:
+ rabbit_ha_queues: true
+ oslo_policy:
+ policy_file: /etc/glance/policy.yaml
+ cors: {}
+ logging:
+ loggers:
+ keys:
+ - root
+ - glance
+ handlers:
+ keys:
+ - stdout
+ - stderr
+ - "null"
+ formatters:
+ keys:
+ - context
+ - default
+ logger_root:
+ level: WARNING
+ handlers: 'null'
+ logger_glance:
+ level: INFO
+ handlers:
+ - stdout
+ qualname: glance
+ logger_amqp:
+ level: WARNING
+ handlers: stderr
+ qualname: amqp
+ logger_amqplib:
+ level: WARNING
+ handlers: stderr
+ qualname: amqplib
+ logger_eventletwsgi:
+ level: WARNING
+ handlers: stderr
+ qualname: eventlet.wsgi.server
+ logger_sqlalchemy:
+ level: WARNING
+ handlers: stderr
+ qualname: sqlalchemy
+ logger_boto:
+ level: WARNING
+ handlers: stderr
+ qualname: boto
+ handler_null:
+ class: logging.NullHandler
+ formatter: default
+ args: ()
+ handler_stdout:
+ class: StreamHandler
+ args: (sys.stdout,)
+ formatter: context
+ handler_stderr:
+ class: StreamHandler
+ args: (sys.stderr,)
+ formatter: context
+ formatter_context:
+ class: oslo_log.formatters.ContextFormatter
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ formatter_default:
+ format: "%(message)s"
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ api_audit_map:
+ DEFAULT:
+ target_endpoint_type: None
+ path_keywords:
+ detail: None
+ file: None
+ images: image
+ members: member
+ tags: tag
+ service_endpoints:
+ image: 'service/storage/image'
+ swift_store: |
+ [{{ .Values.conf.glance.glance_store.default_swift_reference }}]
+ {{- if eq .Values.storage "radosgw" }}
+ auth_version = 1
+ auth_address = {{ tuple "ceph_object_store" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+ user = {{ .Values.endpoints.ceph_object_store.auth.glance.username }}:swift
+ key = {{ .Values.endpoints.ceph_object_store.auth.glance.password }}
+ {{- else }}
+ user = {{ .Values.endpoints.identity.auth.glance.project_name }}:{{ .Values.endpoints.identity.auth.glance.username }}
+ key = {{ .Values.endpoints.identity.auth.glance.password }}
+ auth_address = {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+ user_domain_name = {{ .Values.endpoints.identity.auth.glance.user_domain_name }}
+ project_domain_name = {{ .Values.endpoints.identity.auth.glance.project_domain_name }}
+ auth_version = 3
+ # NOTE(portdirect): https://bugs.launchpad.net/glance-store/+bug/1620999
+ project_domain_id =
+ user_domain_id =
+ {{- end -}}
+ rabbitmq:
+ # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
+ policies:
+ - vhost: "glance"
+ name: "ha_ttl_glance"
+ definition:
+ # mirror messges to other nodes in rmq cluster
+ ha-mode: "all"
+ ha-sync-mode: "automatic"
+ # 70s
+ message-ttl: 70000
+ priority: 0
+ apply-to: all
+ pattern: '^(?!(amq\.|reply_)).*'
+
+network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ nginx.ingress.kubernetes.io/proxy-body-size: "0"
+ external_policy_local: false
+ node_port:
+ enabled: false
+ port: 30092
+
+volume:
+ class_name: general
+ size: 2Gi
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - glance-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ api:
+ jobs:
+ - glance-storage-init
+ - glance-db-sync
+ - glance-rabbit-init
+ - glance-ks-user
+ - glance-ks-endpoints
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: oslo_messaging
+ bootstrap:
+ jobs: null
+ services:
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: image
+ clean:
+ jobs: null
+ db_drop:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_init:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_sync:
+ jobs:
+ - glance-db-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ ks_endpoints:
+ jobs:
+ - glance-ks-service
+ services:
+ - endpoint: internal
+ service: identity
+ ks_service:
+ services:
+ - endpoint: internal
+ service: identity
+ ks_user:
+ services:
+ - endpoint: internal
+ service: identity
+ rabbit_init:
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ storage_init:
+ jobs:
+ - glance-ks-user
+ services: null
+ metadefs_load:
+ jobs:
+ - glance-db-sync
+ services: null
+ tests:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: image
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: glance-keystone-admin
+ glance: glance-keystone-user
+ test: glance-keystone-test
+ oslo_db:
+ admin: glance-db-admin
+ glance: glance-db-user
+ rbd: images-rbd-keyring
+ oslo_messaging:
+ admin: glance-rabbitmq-admin
+ glance: glance-rabbitmq-user
+ tls:
+ image:
+ api:
+ public: glance-tls-public
+ internal: glance-tls-api
+ oci_image_registry:
+ glance: glance-oci-image-registry
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ oci_image_registry:
+ name: oci-image-registry
+ namespace: oci-image-registry
+ auth:
+ enabled: false
+ glance:
+ username: glance
+ password: password
+ hosts:
+ default: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ default: null
+ identity:
+ name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ glance:
+ role: admin
+ region_name: RegionOne
+ username: glance
+ password: password
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ test:
+ role: admin
+ region_name: RegionOne
+ username: glance-test
+ password: password
+ project_name: test
+ user_domain_name: service
+ project_domain_name: service
+ hosts:
+ default: keystone
+ internal: keystone-api
+ host_fqdn_override:
+ default: null
+ path:
+ default: /v3
+ scheme:
+ default: http
+ port:
+ api:
+ default: 80
+ internal: 5000
+ image:
+ name: glance
+ hosts:
+ default: glance-api
+ public: glance
+ host_fqdn_override:
+ default: null
+ # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+ # endpoints using the following format:
+ # public:
+ # host: null
+ # tls:
+ # crt: null
+ # key: null
+ path:
+ default: null
+ scheme:
+ default: http
+ service: http
+ port:
+ api:
+ default: 9292
+ public: 80
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ secret:
+ tls:
+ internal: mariadb-tls-direct
+ glance:
+ username: glance
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /glance
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ oslo_cache:
+ auth:
+ # NOTE(portdirect): this is used to define the value for keystone
+ # authtoken cache encryption key, if not set it will be populated
+ # automatically with a random value, but to take advantage of
+ # this feature all services should be set to use the same key,
+ # and memcache service.
+ memcache_secret_key: null
+ hosts:
+ default: memcached
+ host_fqdn_override:
+ default: null
+ port:
+ memcache:
+ default: 11211
+ oslo_messaging:
+ auth:
+ admin:
+ username: rabbitmq
+ password: password
+ secret:
+ tls:
+ internal: rabbitmq-tls-direct
+ glance:
+ username: glance
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /glance
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ http:
+ default: 15672
+ object_store:
+ name: swift
+ namespace: ceph
+ auth:
+ glance:
+ tmpurlkey: supersecret
+ hosts:
+ default: ceph-rgw
+ public: radosgw
+ host_fqdn_override:
+ default: null
+ path:
+ default: /swift/v1/KEY_$(tenant_id)s
+ scheme:
+ default: http
+ port:
+ api:
+ default: 8088
+ public: 80
+ ceph_object_store:
+ name: radosgw
+ namespace: ceph
+ auth:
+ glance:
+ username: glance
+ password: password
+ tmpurlkey: supersecret
+ hosts:
+ default: ceph-rgw
+ public: radosgw
+ host_fqdn_override:
+ default: null
+ path:
+ default: /auth/v1.0
+ scheme:
+ default: http
+ port:
+ api:
+ default: 8088
+ public: 80
+ fluentd:
+ namespace: null
+ name: fluentd
+ hosts:
+ default: fluentd-logging
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: 'http'
+ port:
+ service:
+ default: 24224
+ metrics:
+ default: 24220
+ dashboard:
+ name: horizon
+ hosts:
+ default: horizon-int
+ public: horizon
+ host_fqdn_override:
+ default: null
+ # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+ # endpoints using the following format:
+ # public:
+ # host: null
+ # tls:
+ # crt: null
+ # key: null
+ path:
+ default: null
+ scheme:
+ default: http
+ public: https
+ port:
+ web:
+ default: 80
+ public: 443
+ # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+ # They are using to enable the Egress K8s network policy.
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns:
+ default: 53
+ protocol: UDP
+ ingress:
+ namespace: null
+ name: ingress
+ hosts:
+ default: ingress
+ port:
+ ingress:
+ default: 80
+
+pod:
+ security_context:
+ glance:
+ pod:
+ runAsUser: 42424
+ container:
+ glance_perms:
+ readOnlyRootFilesystem: true
+ runAsUser: 0
+ ceph_keyring_placement:
+ readOnlyRootFilesystem: true
+ runAsUser: 0
+ glance_api:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nginx:
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+ clean:
+ pod:
+ runAsUser: 42424
+ container:
+ glance_secret_clean:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ metadefs_load:
+ pod:
+ runAsUser: 42424
+ container:
+ glance_metadefs_load:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ storage_init:
+ pod:
+ runAsUser: 42424
+ container:
+ ceph_keyring_placement:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ glance_storage_init:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ test:
+ pod:
+ runAsUser: 42424
+ container:
+ glance_test_ks_user:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ glance_test:
+ runAsUser: 65500
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ weight:
+ default: 10
+ tolerations:
+ glance:
+ enabled: false
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ effect: NoSchedule
+ useHostNetwork:
+ api: false
+ mounts:
+ glance_api:
+ init_container: null
+ glance_api:
+ volumeMounts:
+ volumes:
+ glance_tests:
+ init_container: null
+ glance_tests:
+ volumeMounts:
+ volumes:
+ glance_db_sync:
+ glance_db_sync:
+ volumeMounts:
+ volumes:
+ replicas:
+ api: 1
+ lifecycle:
+ upgrades:
+ deployments:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+ disruption_budget:
+ api:
+ min_available: 0
+ termination_grace_period:
+ api:
+ timeout: 30
+ resources:
+ enabled: false
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ storage_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ metadefs_load:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_drop:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_user:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_service:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_endpoints:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ rabbit_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ bootstrap:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ tests:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+
+# NOTE(helm_hook): helm_hook might break for helm2 binary.
+# set helm3_hook: false when using the helm2 binary.
+helm3_hook: true
+
+tls:
+ identity: false
+ oslo_messaging: false
+ oslo_db: false
+
+manifests:
+ certificates: false
+ configmap_bin: true
+ configmap_etc: true
+ deployment_api: true
+ ingress_api: true
+ job_bootstrap: true
+ job_clean: true
+ job_db_init: true
+ job_db_sync: true
+ job_db_drop: false
+ job_image_repo_sync: true
+ job_ks_endpoints: true
+ job_ks_service: true
+ job_ks_user: true
+ job_storage_init: true
+ job_metadefs_load: true
+ job_rabbit_init: true
+ pdb_api: true
+ pod_rally_test: true
+ pvc_images: true
+ network_policy: false
+ secret_db: true
+ secret_ingress_tls: true
+ secret_keystone: true
+ secret_rabbitmq: true
+ secret_registry: true
+ service_ingress_api: true
+ service_api: true
+...
diff --git a/charts/heat/.helmignore b/charts/heat/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/heat/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/heat/Chart.yaml b/charts/heat/Chart.yaml
new file mode 100644
index 0000000..4d3af00
--- /dev/null
+++ b/charts/heat/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Heat
+home: https://docs.openstack.org/heat/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: heat
+sources:
+- https://opendev.org/openstack/heat
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.8
diff --git a/charts/heat/charts/helm-toolkit/Chart.yaml b/charts/heat/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..ffa1cdc
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.36
diff --git a/charts/heat/charts/helm-toolkit/requirements.yaml b/charts/heat/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/heat/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..c1693aa
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..db12915
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,540 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+local A_FILE="$1"
+local A_DATE=""
+if [[ -z ${BACK_UP_MODE} ]]; then
+ A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 4 | tr -d "Z")
+else
+ A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 5 | tr -d "Z")
+fi
+echo ${A_DATE}
+}
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ SECONDS_TO_KEEP=$((${LOCAL_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+ ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+ if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -rf $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+ ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f fd ]]; then
+ rm -f fd
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ create_hash_table $(cat $DB_BACKUP_FILES)
+ remove_old_remote_archives
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..c2de3aa
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f 8
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..4cc898d
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/heat/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_template.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/heat/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/values.yaml b/charts/heat/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/heat/requirements.lock b/charts/heat/requirements.lock
new file mode 100644
index 0000000..1a130f6
--- /dev/null
+++ b/charts/heat/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: 0.2.36
+digest: sha256:7815f273587bf686278d58f0c6e9c86c37f220ef3f3c1e83edc478613082fef4
+generated: "2022-03-24T05:04:10.242253189Z"
diff --git a/charts/heat/requirements.yaml b/charts/heat/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/heat/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: ">= 0.1.0"
diff --git a/charts/heat/templates/bin/_bootstrap.sh.tpl b/charts/heat/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..6452d0a
--- /dev/null
+++ b/charts/heat/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/heat/templates/bin/_db-sync.sh.tpl b/charts/heat/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..652762d
--- /dev/null
+++ b/charts/heat/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+heat-manage db_sync
diff --git a/charts/heat/templates/bin/_heat-api.sh.tpl b/charts/heat/templates/bin/_heat-api.sh.tpl
new file mode 100644
index 0000000..b756d59
--- /dev/null
+++ b/charts/heat/templates/bin/_heat-api.sh.tpl
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+
+{{- if .Values.manifests.certificates }}
+ for WSGI_SCRIPT in heat-wsgi-api; do
+ cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
+ done
+
+ if [ -f /etc/apache2/envvars ]; then
+ # Loading Apache2 ENV variables
+ source /etc/apache2/envvars
+ mkdir -p ${APACHE_RUN_DIR}
+ fi
+
+{{- if .Values.conf.software.apache2.a2enmod }}
+ {{- range .Values.conf.software.apache2.a2enmod }}
+ a2enmod {{ . }}
+ {{- end }}
+{{- end }}
+
+{{- if .Values.conf.software.apache2.a2dismod }}
+ {{- range .Values.conf.software.apache2.a2dismod }}
+ a2dismod {{ . }}
+ {{- end }}
+{{- end }}
+
+ if [ -f /var/run/apache2/apache2.pid ]; then
+ # Remove the stale pid for debian/ubuntu images
+ rm -f /var/run/apache2/apache2.pid
+ fi
+ # Starts Apache2
+ exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+{{- else }}
+ exec heat-api \
+ --config-file /etc/heat/heat.conf
+{{- end }}
+}
+
+function stop () {
+{{- if .Values.manifests.certificates }}
+ {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+{{- else }}
+ kill -TERM 1
+{{- end }}
+}
+
+$COMMAND
diff --git a/charts/heat/templates/bin/_heat-cfn.sh.tpl b/charts/heat/templates/bin/_heat-cfn.sh.tpl
new file mode 100644
index 0000000..757b59a
--- /dev/null
+++ b/charts/heat/templates/bin/_heat-cfn.sh.tpl
@@ -0,0 +1,66 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+{{- if .Values.manifests.certificates }}
+ for WSGI_SCRIPT in heat-wsgi-api-cfn; do
+ cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
+ done
+
+ if [ -f /etc/apache2/envvars ]; then
+ # Loading Apache2 ENV variables
+ source /etc/apache2/envvars
+ mkdir -p ${APACHE_RUN_DIR}
+ fi
+
+
+{{- if .Values.conf.software.apache2.a2enmod }}
+ {{- range .Values.conf.software.apache2.a2enmod }}
+ a2enmod {{ . }}
+ {{- end }}
+{{- end }}
+
+{{- if .Values.conf.software.apache2.a2dismod }}
+ {{- range .Values.conf.software.apache2.a2dismod }}
+ a2dismod {{ . }}
+ {{- end }}
+{{- end }}
+
+
+ if [ -f /var/run/apache2/apache2.pid ]; then
+ # Remove the stale pid for debian/ubuntu images
+ rm -f /var/run/apache2/apache2.pid
+ fi
+ # Starts Apache2
+ exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+{{- else }}
+ exec heat-api-cfn \
+ --config-file /etc/heat/heat.conf
+{{- end }}
+}
+
+function stop () {
+{{- if .Values.manifests.certificates }}
+ {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+{{- else }}
+ kill -TERM 1
+{{- end }}
+}
+
+$COMMAND
diff --git a/charts/heat/templates/bin/_heat-cloudwatch.sh.tpl b/charts/heat/templates/bin/_heat-cloudwatch.sh.tpl
new file mode 100644
index 0000000..6bf15ff
--- /dev/null
+++ b/charts/heat/templates/bin/_heat-cloudwatch.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ exec heat-api-cloudwatch \
+ --config-file /etc/heat/heat.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/heat/templates/bin/_heat-engine-cleaner.sh.tpl b/charts/heat/templates/bin/_heat-engine-cleaner.sh.tpl
new file mode 100644
index 0000000..d19decc
--- /dev/null
+++ b/charts/heat/templates/bin/_heat-engine-cleaner.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+heat-manage service clean
diff --git a/charts/heat/templates/bin/_heat-engine.sh.tpl b/charts/heat/templates/bin/_heat-engine.sh.tpl
new file mode 100644
index 0000000..30fdff3
--- /dev/null
+++ b/charts/heat/templates/bin/_heat-engine.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+COMMAND="${@:-start}"
+
+function start () {
+ exec heat-engine \
+ --config-file /etc/heat/heat.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/heat/templates/bin/_heat-purge-deleted-active.sh.tpl b/charts/heat/templates/bin/_heat-purge-deleted-active.sh.tpl
new file mode 100644
index 0000000..1514171
--- /dev/null
+++ b/charts/heat/templates/bin/_heat-purge-deleted-active.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+heat-manage purge_deleted -g minutes "$1"
diff --git a/charts/heat/templates/bin/_trusts.sh.tpl b/charts/heat/templates/bin/_trusts.sh.tpl
new file mode 100644
index 0000000..837ec00
--- /dev/null
+++ b/charts/heat/templates/bin/_trusts.sh.tpl
@@ -0,0 +1,48 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/bin/bash
+
+set -ex
+
+# Get IDs for filtering
+OS_PROJECT_ID=$(openstack project show -f value -c id ${OS_PROJECT_NAME})
+OS_USER_ID=$(openstack user show -f value -c id ${OS_USERNAME})
+SERVICE_OS_TRUSTEE_ID=$(openstack user show -f value -c id --domain ${SERVICE_OS_TRUSTEE_DOMAIN} ${SERVICE_OS_TRUSTEE})
+
+# Check if trust doesn't already exist
+openstack trust list -f value -c "Project ID" \
+ -c "Trustee User ID" -c "Trustor User ID" | \
+ grep "^${OS_PROJECT_ID} ${SERVICE_OS_TRUSTEE_ID} ${OS_USER_ID}$" && \
+ exit 0
+
+# If there are no roles specified...
+if [ -z "${SERVICE_OS_ROLES}" ]; then
+ # ...Heat will try to delegate all of the roles that user has in the
+ # project. Let's fetch them all and use that.
+ readarray -t roles < <(openstack role assignment list -f value \
+ -c "Role" --user="${OS_USERNAME}" --project="${OS_PROJECT_ID}")
+else
+ # Split roles into an array
+ IFS=',' read -r -a roles <<< "${SERVICE_OS_ROLES}"
+fi
+
+# Create trust between trustor and trustee
+SERVICE_OS_TRUST_ID=$(openstack trust create -f value -c id \
+ --project="${OS_PROJECT_NAME}" \
+ ${roles[@]/#/--role=} \
+ --trustee-domain="${SERVICE_OS_TRUSTEE_DOMAIN}" \
+ "${OS_USERNAME}" \
+ "${SERVICE_OS_TRUSTEE}")
+
+# Display trust
+openstack trust show "${SERVICE_OS_TRUST_ID}"
diff --git a/charts/heat/templates/certificates.yaml b/charts/heat/templates/certificates.yaml
new file mode 100644
index 0000000..353dfd6
--- /dev/null
+++ b/charts/heat/templates/certificates.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{ dict "envAll" . "service" "orchestration" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{ dict "envAll" . "service" "cloudformation" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/charts/heat/templates/configmap-bin.yaml b/charts/heat/templates/configmap-bin.yaml
new file mode 100644
index 0000000..8278e7d
--- /dev/null
+++ b/charts/heat/templates/configmap-bin.yaml
@@ -0,0 +1,64 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: heat-bin
+data:
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+ bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+ rally-test.sh: |
+{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+ db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+ db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+ ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+ ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+ ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+ ks-domain-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_domain_user" . | indent 4 }}
+ trusts.sh: |
+{{ tuple "bin/_trusts.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ heat-api.sh: |
+{{ tuple "bin/_heat-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ heat-cfn.sh: |
+{{ tuple "bin/_heat-cfn.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ heat-cloudwatch.sh: |
+{{ tuple "bin/_heat-cloudwatch.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ heat-engine.sh: |
+{{ tuple "bin/_heat-engine.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ heat-engine-cleaner.sh: |
+{{ tuple "bin/_heat-engine-cleaner.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ heat-purge-deleted-active.sh: |
+{{ tuple "bin/_heat-purge-deleted-active.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+{{- end }}
diff --git a/charts/heat/templates/configmap-etc.yaml b/charts/heat/templates/configmap-etc.yaml
new file mode 100644
index 0000000..d5716e1
--- /dev/null
+++ b/charts/heat/templates/configmap-etc.yaml
@@ -0,0 +1,153 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.heat.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.heat.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.heat.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "region_name" .Values.endpoints.identity.auth.heat.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "project_name" .Values.endpoints.identity.auth.heat.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.heat.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.heat.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "username" .Values.endpoints.identity.auth.heat.username -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "password" .Values.endpoints.identity.auth.heat.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.trustee.region_name -}}
+{{- $_ := set .Values.conf.heat.trustee "region_name" .Values.endpoints.identity.auth.heat_trustee.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.trustee.user_domain_name -}}
+{{- $_ := set .Values.conf.heat.trustee "user_domain_name" .Values.endpoints.identity.auth.heat_trustee.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.trustee.username -}}
+{{- $_ := set .Values.conf.heat.trustee "username" .Values.endpoints.identity.auth.heat_trustee.username -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.trustee.password -}}
+{{- $_ := set .Values.conf.heat.trustee "password" .Values.endpoints.identity.auth.heat_trustee.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.DEFAULT.stack_user_domain_name -}}
+{{- $_ := set .Values.conf.heat.DEFAULT "stack_user_domain_name" .Values.endpoints.identity.auth.heat_stack_user.domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.DEFAULT.stack_domain_admin -}}
+{{- $_ := set .Values.conf.heat.DEFAULT "stack_domain_admin" .Values.endpoints.identity.auth.heat_stack_user.username -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.DEFAULT.stack_domain_admin_password -}}
+{{- $_ := set .Values.conf.heat.DEFAULT "stack_domain_admin_password" .Values.endpoints.identity.auth.heat_stack_user.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.heat.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.database.connection -}}
+{{- $connection := tuple "oslo_db" "internal" "heat" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.heat.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.heat.database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "heat" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.heat.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.DEFAULT.heat_metadata_server_url -}}
+{{- $_ := tuple "cloudformation" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.cloudformation.path.default | set .Values.conf.heat.DEFAULT "heat_metadata_server_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.DEFAULT.heat_waitcondition_server_url -}}
+{{- $_ := cat (tuple "cloudformation" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup") "waitcondition" | replace " " "/" | set .Values.conf.heat.DEFAULT "heat_waitcondition_server_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.DEFAULT.heat_watch_server_url -}}
+{{- $_ := tuple "cloudwatch" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix "/" | set .Values.conf.heat.DEFAULT "heat_watch_server_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.clients_keystone.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.identity.path.default | set .Values.conf.heat.clients_keystone "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.trustee.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.identity.path.default | set .Values.conf.heat.trustee "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.heat_api.bind_port -}}
+{{- $_ := tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api "bind_port" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.heat_api_cloudwatch.bind_port -}}
+{{- $_ := tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api_cloudwatch "bind_port" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.heat_api_cfn.bind_port -}}
+{{- $_ := tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api_cfn "bind_port" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: heat-etc
+type: Opaque
+data:
+ rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
+ heat.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.heat | b64enc }}
+ logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+ api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
+ policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+{{- if .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_heat "key" "wsgi-heat.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cfn "key" "wsgi-cnf.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
+ api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
+{{- range $key, $value := $envAll.Values.conf.rally_tests.templates }}
+ {{ printf "test_template_%d" $key }}: {{ $value.template | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/templates/cron-job-engine-cleaner.yaml b/charts/heat/templates/cron-job-engine-cleaner.yaml
new file mode 100644
index 0000000..1e7e6f3
--- /dev/null
+++ b/charts/heat/templates/cron-job-engine-cleaner.yaml
@@ -0,0 +1,105 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_job_engine_cleaner }}
+{{- $envAll := . }}
+
+{{- $mounts_heat_engine_cleaner := .Values.pod.mounts.heat_engine_cleaner.heat_engine_cleaner }}
+{{- $mounts_heat_engine_cleaner_init := .Values.pod.mounts.heat_engine_cleaner.init_container }}
+
+{{- $serviceAccountName := "heat-engine-cleaner" }}
+{{ tuple $envAll "engine_cleaner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ name: heat-engine-cleaner
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ schedule: {{ .Values.jobs.engine_cleaner.cron | quote }}
+ successfulJobsHistoryLimit: {{ .Values.jobs.engine_cleaner.history.success }}
+ failedJobsHistoryLimit: {{ .Values.jobs.engine_cleaner.history.failed }}
+ {{- if .Values.jobs.engine_cleaner.starting_deadline }}
+ startingDeadlineSeconds: {{ .Values.jobs.engine_cleaner.starting_deadline }}
+ {{- end }}
+ concurrencyPolicy: Forbid
+ jobTemplate:
+ metadata:
+ labels:
+{{ tuple $envAll "heat" "engine-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ dict "envAll" $envAll "podName" "heat-engine-cleaner" "containerNames" (list "heat-engine-cleaner" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "heat" "engine-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 12 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "heat-engine-cleaner" "containerNames" (list "heat-engine-cleaner" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "engine_cleaner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "engine_cleaner" $mounts_heat_engine_cleaner_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+ containers:
+ - name: heat-engine-cleaner
+{{ tuple $envAll "heat_engine_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.engine_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{ dict "envAll" $envAll "application" "engine_cleaner" "container" "heat_engine_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
+ command:
+ - /tmp/heat-engine-cleaner.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: heat-bin
+ mountPath: /tmp/heat-engine-cleaner.sh
+ subPath: heat-engine-cleaner.sh
+ readOnly: true
+ - name: etcheat
+ mountPath: /etc/heat
+ - name: heat-etc
+ mountPath: /etc/heat/heat.conf
+ subPath: heat.conf
+ readOnly: true
+ {{ if .Values.conf.heat.DEFAULT.log_config_append }}
+ - name: heat-etc
+ mountPath: {{ .Values.conf.heat.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
+ readOnly: true
+ {{ end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
+{{ if $mounts_heat_engine_cleaner.volumeMounts }}{{ toYaml $mounts_heat_engine_cleaner.volumeMounts | indent 14 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: etcheat
+ emptyDir: {}
+ - name: heat-etc
+ secret:
+ secretName: heat-etc
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+ - name: heat-bin
+ configMap:
+ name: heat-bin
+ defaultMode: 0555
+{{ if $mounts_heat_engine_cleaner.volumes }}{{ toYaml $mounts_heat_engine_cleaner.volumes | indent 12 }}{{ end }}
+{{- end }}
diff --git a/charts/heat/templates/cron-job-purge-deleted.yaml b/charts/heat/templates/cron-job-purge-deleted.yaml
new file mode 100644
index 0000000..dd275d7
--- /dev/null
+++ b/charts/heat/templates/cron-job-purge-deleted.yaml
@@ -0,0 +1,99 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_job_purge_deleted }}
+{{- $envAll := . }}
+
+{{- $mounts_heat_purge_deleted := .Values.pod.mounts.heat_purge_deleted.heat_purge_deleted }}
+{{- $mounts_heat_purge_deleted_init := .Values.pod.mounts.heat_purge_deleted.init_container }}
+
+{{- $serviceAccountName := "heat-purge-deleted" }}
+{{ tuple $envAll "purge_deleted" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ name: heat-purge-deleted
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ schedule: {{ .Values.jobs.purge_deleted.cron | quote }}
+ successfulJobsHistoryLimit: {{ .Values.jobs.purge_deleted.history.success }}
+ failedJobsHistoryLimit: {{ .Values.jobs.purge_deleted.history.failed }}
+ concurrencyPolicy: Forbid
+ jobTemplate:
+ metadata:
+ labels:
+{{ tuple $envAll "heat" "purge-deleted" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ dict "envAll" $envAll "podName" "heat-purge-deleted" "containerNames" (list "init" "heat-purge-deleted" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "heat" "purge-deleted" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 12 }}
+{{ dict "envAll" $envAll "podName" "heat-purge-deleted" "containerNames" (list "init" "heat-purge-deleted" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "purge_deleted" $mounts_heat_purge_deleted_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+ containers:
+ - name: heat-purge-deleted
+{{ tuple $envAll "heat_purge_deleted" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.purge_deleted | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+ command:
+ - /tmp/heat-purge-deleted-active.sh
+ - {{ quote .Values.jobs.purge_deleted.purge_age }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: heat-bin
+ mountPath: /tmp/heat-purge-deleted-active.sh
+ subPath: heat-purge-deleted-active.sh
+ readOnly: true
+ - name: etcheat
+ mountPath: /etc/heat
+ - name: heat-etc
+ mountPath: /etc/heat/heat.conf
+ subPath: heat.conf
+ readOnly: true
+ {{ if .Values.conf.heat.DEFAULT.log_config_append }}
+ - name: heat-etc
+ mountPath: {{ .Values.conf.heat.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
+ readOnly: true
+ {{ end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
+{{ if $mounts_heat_purge_deleted.volumeMounts }}{{ toYaml $mounts_heat_purge_deleted.volumeMounts | indent 14 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: etcheat
+ emptyDir: {}
+ - name: heat-etc
+ secret:
+ secretName: heat-etc
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+ - name: heat-bin
+ configMap:
+ name: heat-bin
+ defaultMode: 0555
+{{ if $mounts_heat_purge_deleted.volumes }}{{ toYaml $mounts_heat_purge_deleted.volumes | indent 12 }}{{ end }}
+{{- end }}
diff --git a/charts/heat/templates/deployment-api.yaml b/charts/heat/templates/deployment-api.yaml
new file mode 100644
index 0000000..a17ddae
--- /dev/null
+++ b/charts/heat/templates/deployment-api.yaml
@@ -0,0 +1,145 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_heat_api := .Values.pod.mounts.heat_api.heat_api }}
+{{- $mounts_heat_api_init := .Values.pod.mounts.heat_api.init_container }}
+
+{{- $serviceAccountName := "heat-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: heat-api
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.api }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "heat-api" "containerNames" (list "heat-api" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "api" $mounts_heat_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: heat-api
+{{ tuple $envAll "heat_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "heat" "container" "heat_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/heat-api.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/heat-api.sh
+ - stop
+ ports:
+ - name: h-api
+ containerPort: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ livenessProbe:
+ tcpSocket:
+ port: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ initialDelaySeconds: 30
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-etc-heat
+ mountPath: /etc/heat
+ - name: wsgi-heat
+ mountPath: /var/www/cgi-bin/heat
+ - name: heat-bin
+ mountPath: /tmp/heat-api.sh
+ subPath: heat-api.sh
+ readOnly: true
+ - name: heat-etc
+ mountPath: /etc/heat/heat.conf
+ subPath: heat.conf
+ readOnly: true
+ {{ if .Values.conf.heat.DEFAULT.log_config_append }}
+ - name: heat-etc
+ mountPath: {{ .Values.conf.heat.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
+ readOnly: true
+ {{ end }}
+ - name: heat-etc
+ mountPath: /etc/heat/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: heat-etc
+ mountPath: /etc/heat/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: heat-etc
+ mountPath: /etc/heat/api_audit_map.conf
+ subPath: api_audit_map.conf
+ readOnly: true
+ {{- if .Values.manifests.certificates }}
+ - name: heat-etc
+ mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api.conf
+ subPath: wsgi-heat.conf
+ readOnly: true
+ - name: heat-etc
+ mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
+ subPath: mpm_event.conf
+ readOnly: true
+ {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-heat
+ emptyDir: {}
+ - name: wsgi-heat
+ emptyDir: {}
+ - name: heat-bin
+ configMap:
+ name: heat-bin
+ defaultMode: 0555
+ - name: heat-etc
+ secret:
+ secretName: heat-etc
+ defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/heat/templates/deployment-cfn.yaml b/charts/heat/templates/deployment-cfn.yaml
new file mode 100644
index 0000000..9fab9e6
--- /dev/null
+++ b/charts/heat/templates/deployment-cfn.yaml
@@ -0,0 +1,143 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_cfn }}
+{{- $envAll := . }}
+
+{{- $mounts_heat_cfn := .Values.pod.mounts.heat_cfn.heat_cfn }}
+{{- $mounts_heat_cfn_init := .Values.pod.mounts.heat_cfn.init_container }}
+
+{{- $serviceAccountName := "heat-cfn" }}
+{{ tuple $envAll "cfn" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: heat-cfn
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.cfn }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "heat-cfn" "containerNames" (list "heat-cfn" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.cfn.node_selector_key }}: {{ .Values.labels.cfn.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.cfn.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "cfn" $mounts_heat_cfn_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: heat-cfn
+{{ tuple $envAll "heat_cfn" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "heat" "container" "heat_cfn" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/heat-cfn.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/heat-cfn.sh
+ - stop
+ ports:
+ - name: h-cfn
+ containerPort: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ livenessProbe:
+ tcpSocket:
+ port: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ initialDelaySeconds: 30
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-etc-heat
+ mountPath: /etc/heat
+ - name: wsgi-heat
+ mountPath: /var/www/cgi-bin/heat
+ - name: heat-bin
+ mountPath: /tmp/heat-cfn.sh
+ subPath: heat-cfn.sh
+ readOnly: true
+ - name: heat-etc
+ mountPath: /etc/heat/heat.conf
+ subPath: heat.conf
+ readOnly: true
+ {{ if .Values.conf.heat.DEFAULT.log_config_append }}
+ - name: heat-etc
+ mountPath: {{ .Values.conf.heat.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
+ readOnly: true
+ {{ end }}
+ - name: heat-etc
+ mountPath: /etc/heat/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: heat-etc
+ mountPath: /etc/heat/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: heat-etc
+ mountPath: /etc/heat/api_audit_map.conf
+ subPath: api_audit_map.conf
+ readOnly: true
+ {{- if .Values.manifests.certificates }}
+ - name: heat-etc
+ mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api-cfn.conf
+ subPath: wsgi-cnf.conf
+ readOnly: true
+ - name: heat-etc
+ mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
+ subPath: mpm_event.conf
+ readOnly: true
+ {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-heat
+ emptyDir: {}
+ - name: wsgi-heat
+ emptyDir: {}
+ - name: heat-bin
+ configMap:
+ name: heat-bin
+ defaultMode: 0555
+ - name: heat-etc
+ secret:
+ secretName: heat-etc
+ defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/heat/templates/deployment-cloudwatch.yaml b/charts/heat/templates/deployment-cloudwatch.yaml
new file mode 100644
index 0000000..092feac
--- /dev/null
+++ b/charts/heat/templates/deployment-cloudwatch.yaml
@@ -0,0 +1,122 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_cloudwatch }}
+{{- $envAll := . }}
+
+{{- $mounts_heat_cloudwatch := .Values.pod.mounts.heat_cloudwatch.heat_cloudwatch }}
+{{- $mounts_heat_cloudwatch_init := .Values.pod.mounts.heat_cloudwatch.init_container }}
+
+{{- $serviceAccountName := "heat-cloudwatch" }}
+{{ tuple $envAll "cloudwatch" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: heat-cloudwatch
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.cloudwatch }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.cloudwatch.node_selector_key }}: {{ .Values.labels.cloudwatch.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.cloudwatch.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "cloudwatch" $mounts_heat_cloudwatch_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: heat-cloudwatch
+{{ tuple $envAll "heat_cloudwatch" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.cloudwatch | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "heat" "container" "heat_cloudwatch" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/heat-cloudwatch.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/heat-cloudwatch.sh
+ - stop
+ ports:
+ - name: h-cwh
+ containerPort: {{ tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-etc-heat
+ mountPath: /etc/heat
+ - name: heat-bin
+ mountPath: /tmp/heat-cloudwatch.sh
+ subPath: heat-cloudwatch.sh
+ readOnly: true
+ - name: heat-etc
+ mountPath: /etc/heat/heat.conf
+ subPath: heat.conf
+ readOnly: true
+ {{ if .Values.conf.heat.DEFAULT.log_config_append }}
+ - name: heat-etc
+ mountPath: {{ .Values.conf.heat.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
+ readOnly: true
+ {{ end }}
+ - name: heat-etc
+ mountPath: /etc/heat/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: heat-etc
+ mountPath: /etc/heat/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: heat-etc
+ mountPath: /etc/heat/api_audit_map.conf
+ subPath: api_audit_map.conf
+ readOnly: true
+{{ if $mounts_heat_cloudwatch.volumeMounts }}{{ toYaml $mounts_heat_cloudwatch.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-heat
+ emptyDir: {}
+ - name: heat-bin
+ configMap:
+ name: heat-bin
+ defaultMode: 0555
+ - name: heat-etc
+ secret:
+ secretName: heat-etc
+ defaultMode: 0444
+{{ if $mounts_heat_cloudwatch.volumes }}{{ toYaml $mounts_heat_cloudwatch.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/heat/templates/deployment-engine.yaml b/charts/heat/templates/deployment-engine.yaml
new file mode 100644
index 0000000..4ae0197
--- /dev/null
+++ b/charts/heat/templates/deployment-engine.yaml
@@ -0,0 +1,123 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if or ( .Values.manifests.deployment_engine ) ( .Values.manifests.statefulset_engine ) }}
+{{- $envAll := . }}
+
+{{- $mounts_heat_engine := .Values.pod.mounts.heat_engine.heat_engine }}
+{{- $mounts_heat_engine_init := .Values.pod.mounts.heat_engine.init_container }}
+
+{{- $serviceAccountName := "heat-engine" }}
+{{ tuple $envAll "engine" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+metadata:
+ name: heat-engine
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "heat" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if .Values.manifests.deployment_engine }}
+kind: Deployment
+spec:
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+{{- else if .Values.manifests.statefulset_engine }}
+kind: StatefulSet
+spec:
+ serviceName: heat-engine
+{{- end }}
+ replicas: {{ .Values.pod.replicas.engine }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "heat" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "heat" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if .Values.manifests.deployment_engine }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "heat-engine" "containerNames" (list "heat-engine" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{- tuple $envAll "heat" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.engine.node_selector_key }}: {{ .Values.labels.engine.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.engine.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "engine" $mounts_heat_engine_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: heat-engine
+{{ tuple $envAll "heat_engine" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "heat" "container" "heat_engine" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/heat-engine.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/heat-engine.sh
+ - stop
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-etc-heat
+ mountPath: /etc/heat
+ - name: heat-bin
+ mountPath: /tmp/heat-engine.sh
+ subPath: heat-engine.sh
+ readOnly: true
+ - name: heat-etc
+ mountPath: /etc/heat/heat.conf
+ subPath: heat.conf
+ readOnly: true
+ {{ if .Values.conf.heat.DEFAULT.log_config_append }}
+ - name: heat-etc
+ mountPath: {{ .Values.conf.heat.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
+ readOnly: true
+ {{ end }}
+ - name: heat-etc
+ mountPath: /etc/heat/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-heat
+ emptyDir: {}
+ - name: heat-bin
+ configMap:
+ name: heat-bin
+ defaultMode: 0555
+ - name: heat-etc
+ secret:
+ secretName: heat-etc
+ defaultMode: 0444
+ {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/heat/templates/ingress-api.yaml b/charts/heat/templates/ingress-api.yaml
new file mode 100644
index 0000000..8d5c9a0
--- /dev/null
+++ b/charts/heat/templates/ingress-api.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "orchestration" "backendPort" "h-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.orchestration.api.internal -}}
+{{- if and .Values.manifests.certificates $secretName -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.orchestration.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/heat/templates/ingress-cfn.yaml b/charts/heat/templates/ingress-cfn.yaml
new file mode 100644
index 0000000..d965338
--- /dev/null
+++ b/charts/heat/templates/ingress-cfn.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_cfn .Values.network.cfn.ingress.public }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "cfn" "backendServiceType" "cloudformation" "backendPort" "h-cfn" -}}
+{{- $secretName := $envAll.Values.secrets.tls.cloudformation.cfn.internal -}}
+{{- if and .Values.manifests.certificates $secretName -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.cloudformation.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/heat/templates/ingress-cloudwatch.yaml b/charts/heat/templates/ingress-cloudwatch.yaml
new file mode 100644
index 0000000..1be57f5
--- /dev/null
+++ b/charts/heat/templates/ingress-cloudwatch.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_cloudwatch .Values.network.cloudwatch.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendService" "cloudwatch" "backendServiceType" "cloudwatch" "backendPort" "h-cwh" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/heat/templates/job-bootstrap.yaml b/charts/heat/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..5dfe56f
--- /dev/null
+++ b/charts/heat/templates/job-bootstrap.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }}
+{{- end }}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/heat/templates/job-db-drop.yaml b/charts/heat/templates/job-db-drop.yaml
new file mode 100644
index 0000000..d74fa7b
--- /dev/null
+++ b/charts/heat/templates/job-db-drop.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "heat" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/heat/templates/job-db-init.yaml b/charts/heat/templates/job-db-init.yaml
new file mode 100644
index 0000000..b3b44fe
--- /dev/null
+++ b/charts/heat/templates/job-db-init.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "heat" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
+{{- end }}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/heat/templates/job-db-sync.yaml b/charts/heat/templates/job-db-sync.yaml
new file mode 100644
index 0000000..5670792
--- /dev/null
+++ b/charts/heat/templates/job-db-sync.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "heat" "podVolMounts" .Values.pod.mounts.heat_db_sync.heat_db_sync.volumeMounts "podVols" .Values.pod.mounts.heat_db_sync.heat_db_sync.volumes -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
+{{- end }}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/heat/templates/job-image-repo-sync.yaml b/charts/heat/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..a9da325
--- /dev/null
+++ b/charts/heat/templates/job-image-repo-sync.yaml
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "heat" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
+{{- end }}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/heat/templates/job-ks-endpoints.yaml b/charts/heat/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..9388806
--- /dev/null
+++ b/charts/heat/templates/job-ks-endpoints.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
+{{- end }}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/heat/templates/job-ks-service.yaml b/charts/heat/templates/job-ks-service.yaml
new file mode 100644
index 0000000..5947c0e
--- /dev/null
+++ b/charts/heat/templates/job-ks-service.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
+{{- end }}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/heat/templates/job-ks-user-domain.yaml b/charts/heat/templates/job-ks-user-domain.yaml
new file mode 100644
index 0000000..a709608
--- /dev/null
+++ b/charts/heat/templates/job-ks-user-domain.yaml
@@ -0,0 +1,101 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_ks_user_domain }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "heat-ks-user-domain" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: heat-domain-ks-user
+ labels:
+{{ tuple $envAll "heat" "ks-user-domain" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+{{- if .Values.helm3_hook }}
+ "helm.sh/hook": post-install,post-upgrade
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "heat" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "heat-domain-ks-user" "containerNames" (list "heat-ks-domain-user" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: heat-ks-domain-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "heat_ks_domain_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/ks-domain-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-domain-user.sh
+ subPath: ks-domain-user.sh
+ readOnly: true
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: "heat"
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.secrets.identity.heat_stack_user }}
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.secrets.identity.heat_stack_user }}
+ key: OS_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.secrets.identity.heat_stack_user }}
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.secrets.identity.heat_stack_user }}
+ key: OS_PASSWORD
+ - name: SERVICE_OS_ROLE
+ value: {{ .Values.endpoints.identity.auth.heat_stack_user.role | quote }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+ configMap:
+ name: heat-bin
+ defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/heat/templates/job-ks-user-trustee.yaml b/charts/heat/templates/job-ks-user-trustee.yaml
new file mode 100644
index 0000000..21f1b57
--- /dev/null
+++ b/charts/heat/templates/job-ks-user-trustee.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.heat_trust" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user_trustee }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.heat_trust" . | fromYaml) }}
+{{- end }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/heat/templates/job-ks-user.yaml b/charts/heat/templates/job-ks-user.yaml
new file mode 100644
index 0000000..bf23eeb
--- /dev/null
+++ b/charts/heat/templates/job-ks-user.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
+{{- end }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/heat/templates/job-rabbit-init.yaml b/charts/heat/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..8da178b
--- /dev/null
+++ b/charts/heat/templates/job-rabbit-init.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "heat" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
+{{- end }}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/heat/templates/job-trusts.yaml b/charts/heat/templates/job-trusts.yaml
new file mode 100644
index 0000000..afa6bde
--- /dev/null
+++ b/charts/heat/templates/job-trusts.yaml
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- $envAll := . }}
+
+{{- $mounts_heat_trusts := .Values.pod.mounts.heat_trusts.heat_trusts }}
+{{- $mounts_heat_trusts_init := .Values.pod.mounts.heat_trusts.init_container }}
+
+{{- $serviceAccountName := "heat-trusts" }}
+{{ tuple $envAll "trusts" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: heat-trusts
+ labels:
+{{ tuple $envAll "heat" "trusts" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+{{- if .Values.helm3_hook }}
+ "helm.sh/hook": post-install,post-upgrade
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "heat" "trusts" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "heat-trusts" "containerNames" (list "heat-trusts" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "trusts" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "trusts" $mounts_heat_trusts_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: heat-trusts
+{{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.trusts | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "trusts" "container" "heat_trusts" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - bash
+ - /tmp/trusts.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: heat-bin
+ mountPath: /tmp/trusts.sh
+ subPath: trusts.sh
+ readOnly: true
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ value: {{ .Values.conf.heat.DEFAULT.trusts_delegated_roles }}
+ - name: SERVICE_OS_TRUSTEE
+ value: {{ .Values.endpoints.identity.auth.heat_trustee.username }}
+ - name: SERVICE_OS_TRUSTEE_DOMAIN
+ value: {{ .Values.endpoints.identity.auth.heat_trustee.user_domain_name }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: heat-bin
+ configMap:
+ name: heat-bin
+ defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}
diff --git a/charts/heat/templates/network_policy.yaml b/charts/heat/templates/network_policy.yaml
new file mode 100644
index 0000000..d6a4809
--- /dev/null
+++ b/charts/heat/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "heat" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/heat/templates/pdb-api.yaml b/charts/heat/templates/pdb-api.yaml
new file mode 100644
index 0000000..284e079
--- /dev/null
+++ b/charts/heat/templates/pdb-api.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: heat-api
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/heat/templates/pdb-cfn.yaml b/charts/heat/templates/pdb-cfn.yaml
new file mode 100644
index 0000000..52a72fb
--- /dev/null
+++ b/charts/heat/templates/pdb-cfn.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_cfn }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: heat-cfn
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.cfn.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/heat/templates/pdb-cloudwatch.yaml b/charts/heat/templates/pdb-cloudwatch.yaml
new file mode 100644
index 0000000..a0b057b
--- /dev/null
+++ b/charts/heat/templates/pdb-cloudwatch.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_cloudwatch }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: heat-cloudwatch
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.cloudwatch.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/heat/templates/pod-rally-test.yaml b/charts/heat/templates/pod-rally-test.yaml
new file mode 100644
index 0000000..9aa6373
--- /dev/null
+++ b/charts/heat/templates/pod-rally-test.yaml
@@ -0,0 +1,115 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_rally_test }}
+{{- $envAll := . }}
+
+{{- $mounts_tests := .Values.pod.mounts.heat_tests.heat_tests }}
+{{- $mounts_tests_init := .Values.pod.mounts.heat_tests.init_container }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ print $envAll.Release.Name "-test" }}
+ labels:
+{{ tuple $envAll "heat" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ "helm.sh/hook": test-success
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ nodeSelector:
+ {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+ restartPolicy: Never
+ serviceAccountName: {{ $serviceAccountName }}
+ initContainers:
+{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+ - name: {{ .Release.Name }}-test-ks-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+ command:
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: heat-bin
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: "test"
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: SERVICE_OS_ROLE
+ value: {{ .Values.endpoints.identity.auth.test.role | quote }}
+ containers:
+ - name: {{ .Release.Name }}-test
+{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: RALLY_ENV_NAME
+ value: {{.Release.Name}}
+ command:
+ - /tmp/rally-test.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: heat-etc
+ mountPath: /etc/rally/rally_tests.yaml
+ subPath: rally_tests.yaml
+ readOnly: true
+ - name: heat-bin
+ mountPath: /tmp/rally-test.sh
+ subPath: rally-test.sh
+ readOnly: true
+ - name: rally-db
+ mountPath: /var/lib/rally
+ {{- range $key, $value := $envAll.Values.conf.rally_tests.templates }}
+ - name: heat-etc
+ mountPath: {{ $value.name }}
+ subPath: {{ printf "test_template_%d" $key }}
+ readOnly: true
+ {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: heat-etc
+ secret:
+ secretName: heat-etc
+ defaultMode: 0444
+ - name: heat-bin
+ configMap:
+ name: heat-bin
+ defaultMode: 0555
+ - name: rally-db
+ emptyDir: {}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/heat/templates/secret-db.yaml b/charts/heat/templates/secret-db.yaml
new file mode 100644
index 0000000..ef020d1
--- /dev/null
+++ b/charts/heat/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "heat" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+ DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+ DB_CONNECTION: {{ $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/templates/secret-ingress-tls.yaml b/charts/heat/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..33707fa
--- /dev/null
+++ b/charts/heat/templates/secret-ingress-tls.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "orchestration" ) }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "cfn" "backendServiceType" "cloudformation" ) }}
+{{- end }}
diff --git a/charts/heat/templates/secret-keystone.yaml b/charts/heat/templates/secret-keystone.yaml
new file mode 100644
index 0000000..d6758ce
--- /dev/null
+++ b/charts/heat/templates/secret-keystone.yaml
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "heat" "heat_trustee" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $envAll.Values.secrets.identity.heat_stack_user }}
+type: Opaque
+data:
+ OS_AUTH_URL: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+ OS_REGION_NAME: {{ .Values.endpoints.identity.auth.heat_stack_user.region_name | b64enc }}
+ OS_DOMAIN_NAME: {{ .Values.endpoints.identity.auth.heat_stack_user.domain_name | b64enc }}
+ OS_USERNAME: {{ .Values.endpoints.identity.auth.heat_stack_user.username | b64enc }}
+ OS_PASSWORD: {{ .Values.endpoints.identity.auth.heat_stack_user.password | b64enc }}
+{{- end }}
diff --git a/charts/heat/templates/secret-rabbitmq.yaml b/charts/heat/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..ca1ea8c
--- /dev/null
+++ b/charts/heat/templates/secret-rabbitmq.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- $rabbitmqProtocol := "http" }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- $rabbitmqProtocol = "https" }}
+{{- end }}
+{{- range $key1, $userClass := tuple "admin" "heat" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/heat/templates/service-api.yaml b/charts/heat/templates/service-api.yaml
new file mode 100644
index 0000000..fd0aadf
--- /dev/null
+++ b/charts/heat/templates/service-api.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "orchestration" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: h-api
+ port: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.api.node_port.enabled }}
+ nodePort: {{ .Values.network.api.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.api.node_port.enabled }}
+ type: NodePort
+ {{ if .Values.network.api.external_policy_local }}
+ externalTrafficPolicy: Local
+ {{ end }}
+ {{ end }}
+{{- end }}
diff --git a/charts/heat/templates/service-cfn.yaml b/charts/heat/templates/service-cfn.yaml
new file mode 100644
index 0000000..568c1db
--- /dev/null
+++ b/charts/heat/templates/service-cfn.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_cfn }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "cloudformation" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: h-cfn
+ port: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.cfn.node_port.enabled }}
+ nodePort: {{ .Values.network.cfn.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.cfn.node_port.enabled }}
+ type: NodePort
+ {{ end }}
+{{- end }}
diff --git a/charts/heat/templates/service-cloudwatch.yaml b/charts/heat/templates/service-cloudwatch.yaml
new file mode 100644
index 0000000..4978371
--- /dev/null
+++ b/charts/heat/templates/service-cloudwatch.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_cloudwatch }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "cloudwatch" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: h-cwh
+ port: {{ tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.cloudwatch.node_port.enabled }}
+ nodePort: {{ .Values.network.cloudwatch.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.cloudwatch.node_port.enabled }}
+ type: NodePort
+ {{ end }}
+{{- end }}
diff --git a/charts/heat/templates/service-ingress-api.yaml b/charts/heat/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..d4e9982
--- /dev/null
+++ b/charts/heat/templates/service-ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "orchestration" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/heat/templates/service-ingress-cfn.yaml b/charts/heat/templates/service-ingress-cfn.yaml
new file mode 100644
index 0000000..41f6a87
--- /dev/null
+++ b/charts/heat/templates/service-ingress-cfn.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_cfn .Values.network.cfn.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "cloudformation" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/heat/templates/service-ingress-cloudwatch.yaml b/charts/heat/templates/service-ingress-cloudwatch.yaml
new file mode 100644
index 0000000..1ebd9d6
--- /dev/null
+++ b/charts/heat/templates/service-ingress-cloudwatch.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_cloudwatch .Values.network.cloudwatch.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "cloudwatch" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/heat/values.yaml b/charts/heat/values.yaml
new file mode 100644
index 0000000..58f786b
--- /dev/null
+++ b/charts/heat/values.yaml
@@ -0,0 +1,1338 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for heat.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+labels:
+ api:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ cfn:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ cloudwatch:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ engine:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ job:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ test:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+images:
+ tags:
+ test: docker.io/xrally/xrally-openstack:2.0.0
+ bootstrap: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ heat_db_sync: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ rabbit_init: docker.io/rabbitmq:3.7-management
+ ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ heat_api: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ heat_cfn: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ heat_cloudwatch: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ heat_engine: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ heat_engine_cleaner: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ heat_purge_deleted: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ image_repo_sync: docker.io/docker:17.07.0
+ pull_policy: "IfNotPresent"
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+jobs:
+ engine_cleaner:
+ cron: "*/5 * * * *"
+ starting_deadline: 600
+ history:
+ success: 3
+ failed: 1
+
+ purge_deleted:
+ cron: "20 */24 * * *"
+ purge_age: 60
+ history:
+ success: 3
+ failed: 1
+
+conf:
+ rally_tests:
+ run_tempest: false
+ tests:
+ HeatStacks.create_update_delete_stack:
+ - args:
+ template_path: /tmp/rally-jobs/random_strings.yaml
+ updated_template_path: /tmp/rally-jobs/updated_random_strings_replace.yaml
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ HeatStacks.create_check_delete_stack:
+ - args:
+ template_path: /tmp/rally-jobs/random_strings.yaml
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ HeatStacks.create_and_delete_stack:
+ - args:
+ template_path: /tmp/rally-jobs/resource_group_with_constraint.yaml
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ HeatStacks.create_and_list_stack:
+ - args:
+ template_path: /tmp/rally-jobs/default.yaml
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ HeatStacks.create_snapshot_restore_delete_stack:
+ - args:
+ template_path: /tmp/rally-jobs/random_strings.yaml
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ HeatStacks.create_stack_and_list_output:
+ - args:
+ template_path: /tmp/rally-jobs/resource_group_with_outputs.yaml
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ HeatStacks.create_stack_and_list_output_via_API:
+ - args:
+ template_path: /tmp/rally-jobs/resource_group_with_outputs.yaml
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ templates:
+ - name: /tmp/rally-jobs/default.yaml
+ template: |
+ heat_template_version: 2014-10-16
+ - name: /tmp/rally-jobs/random_strings.yaml
+ template: |
+ heat_template_version: 2014-10-16
+ description: Test template for rally create-update-delete scenario
+ resources:
+ test_string_one:
+ type: OS::Heat::RandomString
+ properties:
+ length: 20
+ test_string_two:
+ type: OS::Heat::RandomString
+ properties:
+ length: 20
+ - name: /tmp/rally-jobs/resource_group_with_constraint.yaml
+ template: |
+ heat_template_version: 2013-05-23
+ description: Template for testing caching.
+ parameters:
+ count:
+ type: number
+ default: 40
+ delay:
+ type: number
+ default: 0.1
+ resources:
+ rg:
+ type: OS::Heat::ResourceGroup
+ properties:
+ count:
+ get_param: count
+ resource_def:
+ type: OS::Heat::TestResource
+ properties:
+ constraint_prop_secs:
+ get_param: delay
+ - name: /tmp/rally-jobs/resource_group_with_outputs.yaml
+ template: |
+ heat_template_version: 2013-05-23
+ parameters:
+ attr_wait_secs:
+ type: number
+ default: 0.5
+ resources:
+ rg:
+ type: OS::Heat::ResourceGroup
+ properties:
+ count: 10
+ resource_def:
+ type: OS::Heat::TestResource
+ properties:
+ attr_wait_secs:
+ get_param: attr_wait_secs
+ outputs:
+ val1:
+ value:
+ get_attr:
+ - rg
+ - resource.0.output
+ val2:
+ value:
+ get_attr:
+ - rg
+ - resource.1.output
+ val3:
+ value:
+ get_attr:
+ - rg
+ - resource.2.output
+ val4:
+ value:
+ get_attr:
+ - rg
+ - resource.3.output
+ val5:
+ value:
+ get_attr:
+ - rg
+ - resource.4.output
+ val6:
+ value:
+ get_attr:
+ - rg
+ - resource.5.output
+ val7:
+ value:
+ get_attr:
+ - rg
+ - resource.6.output
+ val8:
+ value:
+ get_attr:
+ - rg
+ - resource.7.output
+ val9:
+ value:
+ get_attr:
+ - rg
+ - resource.8.output
+ val10:
+ value:
+ get_attr:
+ - rg
+ - resource.9.output
+ - name: /tmp/rally-jobs/updated_random_strings_replace.yaml
+ template: |
+ heat_template_version: 2014-10-16
+ description: |
+ Test template for create-update-delete-stack scenario in rally.
+ The template deletes one resource from the stack defined by
+ random-strings.yaml.template and re-creates it with the updated parameters
+ (so-called update-replace). That happens because some parameters cannot be
+ changed without resource re-creation. The template allows to measure performance
+ of update-replace operation.
+ resources:
+ test_string_one:
+ type: OS::Heat::RandomString
+ properties:
+ length: 20
+ test_string_two:
+ type: OS::Heat::RandomString
+ properties:
+ length: 40
+ paste:
+ pipeline:heat-api:
+ pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation osprofiler authurl authtoken audit context apiv1app
+ pipeline:heat-api-standalone:
+ pipeline: cors request_id faultwrap http_proxy_to_wsgi versionnegotiation authurl authpassword context apiv1app
+ pipeline:heat-api-custombackend:
+ pipeline: cors request_id faultwrap versionnegotiation context custombackendauth apiv1app
+ pipeline:heat-api-cfn:
+ pipeline: cors http_proxy_to_wsgi cfnversionnegotiation osprofiler ec2authtoken authtoken audit context apicfnv1app
+ pipeline:heat-api-cfn-standalone:
+ pipeline: cors http_proxy_to_wsgi cfnversionnegotiation ec2authtoken context apicfnv1app
+ pipeline:heat-api-cloudwatch:
+ pipeline: cors versionnegotiation osprofiler ec2authtoken authtoken audit context apicwapp
+ pipeline:heat-api-cloudwatch-standalone:
+ pipeline: cors versionnegotiation ec2authtoken context apicwapp
+ app:apiv1app:
+ paste.app_factory: heat.common.wsgi:app_factory
+ heat.app_factory: heat.api.openstack.v1:API
+ app:apicfnv1app:
+ paste.app_factory: heat.common.wsgi:app_factory
+ heat.app_factory: heat.api.cfn.v1:API
+ app:apicwapp:
+ paste.app_factory: heat.common.wsgi:app_factory
+ heat.app_factory: heat.api.cloudwatch:API
+ filter:versionnegotiation:
+ paste.filter_factory: heat.common.wsgi:filter_factory
+ heat.filter_factory: heat.api.openstack:version_negotiation_filter
+ filter:cors:
+ paste.filter_factory: oslo_middleware.cors:filter_factory
+ oslo_config_project: heat
+ filter:faultwrap:
+ paste.filter_factory: heat.common.wsgi:filter_factory
+ heat.filter_factory: heat.api.openstack:faultwrap_filter
+ filter:cfnversionnegotiation:
+ paste.filter_factory: heat.common.wsgi:filter_factory
+ heat.filter_factory: heat.api.cfn:version_negotiation_filter
+ filter:cwversionnegotiation:
+ paste.filter_factory: heat.common.wsgi:filter_factory
+ heat.filter_factory: heat.api.cloudwatch:version_negotiation_filter
+ filter:context:
+ paste.filter_factory: heat.common.context:ContextMiddleware_filter_factory
+ filter:ec2authtoken:
+ paste.filter_factory: heat.api.aws.ec2token:EC2Token_filter_factory
+ filter:http_proxy_to_wsgi:
+ paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
+ filter:authurl:
+ paste.filter_factory: heat.common.auth_url:filter_factory
+ filter:authtoken:
+ paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+ filter:authpassword:
+ paste.filter_factory: heat.common.auth_password:filter_factory
+ filter:custombackendauth:
+ paste.filter_factory: heat.common.custom_backend_auth:filter_factory
+ filter:audit:
+ paste.filter_factory: keystonemiddleware.audit:filter_factory
+ audit_map_file: /etc/heat/api_audit_map.conf
+ filter:request_id:
+ paste.filter_factory: oslo_middleware.request_id:RequestId.factory
+ filter:osprofiler:
+ paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
+ policy:
+ context_is_admin: role:admin and is_admin_project:True
+ project_admin: role:admin
+ deny_stack_user: not role:heat_stack_user
+ deny_everybody: "!"
+ cloudformation:ListStacks: rule:deny_stack_user
+ cloudformation:CreateStack: rule:deny_stack_user
+ cloudformation:DescribeStacks: rule:deny_stack_user
+ cloudformation:DeleteStack: rule:deny_stack_user
+ cloudformation:UpdateStack: rule:deny_stack_user
+ cloudformation:CancelUpdateStack: rule:deny_stack_user
+ cloudformation:DescribeStackEvents: rule:deny_stack_user
+ cloudformation:ValidateTemplate: rule:deny_stack_user
+ cloudformation:GetTemplate: rule:deny_stack_user
+ cloudformation:EstimateTemplateCost: rule:deny_stack_user
+ cloudformation:DescribeStackResource: ''
+ cloudformation:DescribeStackResources: rule:deny_stack_user
+ cloudformation:ListStackResources: rule:deny_stack_user
+ cloudwatch:DeleteAlarms: rule:deny_stack_user
+ cloudwatch:DescribeAlarmHistory: rule:deny_stack_user
+ cloudwatch:DescribeAlarms: rule:deny_stack_user
+ cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user
+ cloudwatch:DisableAlarmActions: rule:deny_stack_user
+ cloudwatch:EnableAlarmActions: rule:deny_stack_user
+ cloudwatch:GetMetricStatistics: rule:deny_stack_user
+ cloudwatch:ListMetrics: rule:deny_stack_user
+ cloudwatch:PutMetricAlarm: rule:deny_stack_user
+ cloudwatch:PutMetricData: ''
+ cloudwatch:SetAlarmState: rule:deny_stack_user
+ actions:action: rule:deny_stack_user
+ build_info:build_info: rule:deny_stack_user
+ events:index: rule:deny_stack_user
+ events:show: rule:deny_stack_user
+ resource:index: rule:deny_stack_user
+ resource:metadata: ''
+ resource:signal: ''
+ resource:mark_unhealthy: rule:deny_stack_user
+ resource:show: rule:deny_stack_user
+ stacks:abandon: rule:deny_stack_user
+ stacks:create: rule:deny_stack_user
+ stacks:delete: rule:deny_stack_user
+ stacks:detail: rule:deny_stack_user
+ stacks:export: rule:deny_stack_user
+ stacks:generate_template: rule:deny_stack_user
+ stacks:global_index: rule:deny_everybody
+ stacks:index: rule:deny_stack_user
+ stacks:list_resource_types: rule:deny_stack_user
+ stacks:list_template_versions: rule:deny_stack_user
+ stacks:list_template_functions: rule:deny_stack_user
+ stacks:lookup: ''
+ stacks:preview: rule:deny_stack_user
+ stacks:resource_schema: rule:deny_stack_user
+ stacks:show: rule:deny_stack_user
+ stacks:template: rule:deny_stack_user
+ stacks:environment: rule:deny_stack_user
+ stacks:files: rule:deny_stack_user
+ stacks:update: rule:deny_stack_user
+ stacks:update_patch: rule:deny_stack_user
+ stacks:preview_update: rule:deny_stack_user
+ stacks:preview_update_patch: rule:deny_stack_user
+ stacks:validate_template: rule:deny_stack_user
+ stacks:snapshot: rule:deny_stack_user
+ stacks:show_snapshot: rule:deny_stack_user
+ stacks:delete_snapshot: rule:deny_stack_user
+ stacks:list_snapshots: rule:deny_stack_user
+ stacks:restore_snapshot: rule:deny_stack_user
+ stacks:list_outputs: rule:deny_stack_user
+ stacks:show_output: rule:deny_stack_user
+ software_configs:global_index: rule:deny_everybody
+ software_configs:index: rule:deny_stack_user
+ software_configs:create: rule:deny_stack_user
+ software_configs:show: rule:deny_stack_user
+ software_configs:delete: rule:deny_stack_user
+ software_deployments:index: rule:deny_stack_user
+ software_deployments:create: rule:deny_stack_user
+ software_deployments:show: rule:deny_stack_user
+ software_deployments:update: rule:deny_stack_user
+ software_deployments:delete: rule:deny_stack_user
+ software_deployments:metadata: ''
+ service:index: rule:context_is_admin
+ resource_types:OS::Nova::Flavor: rule:project_admin
+ resource_types:OS::Cinder::EncryptedVolumeType: rule:project_admin
+ resource_types:OS::Cinder::VolumeType: rule:project_admin
+ resource_types:OS::Cinder::Quota: rule:project_admin
+ resource_types:OS::Manila::ShareType: rule:project_admin
+ resource_types:OS::Neutron::QoSPolicy: rule:project_admin
+ resource_types:OS::Neutron::QoSBandwidthLimitRule: rule:project_admin
+ resource_types:OS::Nova::HostAggregate: rule:project_admin
+ resource_types:OS::Cinder::QoSSpecs: rule:project_admin
+ heat:
+ DEFAULT:
+ log_config_append: /etc/heat/logging.conf
+ num_engine_workers: 1
+ trusts_delegated_roles: ""
+ host: heat-engine
+ keystone_authtoken:
+ auth_type: password
+ auth_version: v3
+ memcache_security_strategy: ENCRYPT
+ database:
+ max_retries: -1
+ trustee:
+ auth_type: password
+ auth_version: v3
+ heat_api:
+ # NOTE(portdirect): the bind port should not be defined, and is manipulated
+ # via the endpoints section.
+ bind_port: null
+ workers: 1
+ heat_api_cloudwatch:
+ # NOTE(portdirect): the bind port should not be defined, and is manipulated
+ # via the endpoints section.
+ bind_port: null
+ workers: 1
+ heat_api_cfn:
+ # NOTE(portdirect): the bind port should not be defined, and is manipulated
+ # via the endpoints section.
+ bind_port: null
+ workers: 1
+ paste_deploy:
+ api_paste_config: /etc/heat/api-paste.ini
+ clients:
+ endpoint_type: internalURL
+ clients_heat:
+ endpoint_type: publicURL
+ clients_keystone:
+ endpoint_type: internalURL
+ oslo_messaging_notifications:
+ driver: messagingv2
+ oslo_middleware:
+ enable_proxy_headers_parsing: true
+ oslo_messaging_rabbit:
+ rabbit_ha_queues: True
+ oslo_policy:
+ policy_file: /etc/heat/policy.yaml
+ api_audit_map:
+ DEFAULT:
+ target_endpoint_type: None
+ path_keywords:
+ stacks: stack
+ resources: resource
+ preview: None
+ detail: None
+ abandon: None
+ snapshots: snapshot
+ restore: None
+ outputs: output
+ metadata: server
+ signal: None
+ events: event
+ template: None
+ template_versions: template_version
+ functions: None
+ validate: None
+ resource_types: resource_type
+ build_info: None
+ actions: None
+ software_configs: software_config
+ software_deployments: software_deployment
+ services: None
+ service_endpoints:
+ orchestration:service/orchestration
+ logging:
+ loggers:
+ keys:
+ - root
+ - heat
+ handlers:
+ keys:
+ - stdout
+ - stderr
+ - "null"
+ formatters:
+ keys:
+ - context
+ - default
+ logger_root:
+ level: WARNING
+ handlers: 'null'
+ logger_heat:
+ level: INFO
+ handlers:
+ - stdout
+ qualname: heat
+ logger_amqp:
+ level: WARNING
+ handlers: stderr
+ qualname: amqp
+ logger_amqplib:
+ level: WARNING
+ handlers: stderr
+ qualname: amqplib
+ logger_eventletwsgi:
+ level: WARNING
+ handlers: stderr
+ qualname: eventlet.wsgi.server
+ logger_sqlalchemy:
+ level: WARNING
+ handlers: stderr
+ qualname: sqlalchemy
+ logger_boto:
+ level: WARNING
+ handlers: stderr
+ qualname: boto
+ handler_null:
+ class: logging.NullHandler
+ formatter: default
+ args: ()
+ handler_stdout:
+ class: StreamHandler
+ args: (sys.stdout,)
+ formatter: context
+ handler_stderr:
+ class: StreamHandler
+ args: (sys.stderr,)
+ formatter: context
+ formatter_context:
+ class: oslo_log.formatters.ContextFormatter
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ formatter_default:
+ format: "%(message)s"
+ datefmt: "%Y-%m-%d %H:%M:%S"
+
+ rabbitmq:
+ # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
+ policies:
+ - vhost: "heat"
+ name: "ha_ttl_heat"
+ definition:
+ # mirror messges to other nodes in rmq cluster
+ ha-mode: "all"
+ ha-sync-mode: "automatic"
+ # 70s
+ message-ttl: 70000
+ priority: 0
+ apply-to: all
+ pattern: '^(?!(amq\.|reply_)).*'
+
+network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ external_policy_local: false
+ node_port:
+ enabled: false
+ port: 30004
+ cfn:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ node_port:
+ enabled: false
+ port: 30800
+ cloudwatch:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ node_port:
+ enabled: false
+ port: 30003
+
+bootstrap:
+ enabled: true
+ ks_user: admin
+ script: |
+ #NOTE(portdirect): The Orchestration service automatically assigns the
+ # 'heat_stack_user' role to users that it creates during stack deployment.
+ # By default, this role restricts API operations. To avoid conflicts, do
+ # not add this role to actual users.
+ openstack role create --or-show heat_stack_user
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - heat-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ api:
+ jobs:
+ - heat-db-sync
+ - heat-rabbit-init
+ - heat-ks-user
+ - heat-trustee-ks-user
+ - heat-domain-ks-user
+ - heat-ks-endpoints
+ - heat-bootstrap
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: identity
+ cfn:
+ jobs:
+ - heat-db-sync
+ - heat-rabbit-init
+ - heat-ks-user
+ - heat-trustee-ks-user
+ - heat-domain-ks-user
+ - heat-ks-endpoints
+ - heat-bootstrap
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: identity
+ cloudwatch:
+ jobs:
+ - heat-db-sync
+ - heat-rabbit-init
+ - heat-ks-user
+ - heat-trustee-ks-user
+ - heat-domain-ks-user
+ - heat-ks-endpoints
+ - heat-bootstrap
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: identity
+ db_drop:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_init:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_sync:
+ jobs:
+ - heat-db-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ bootstrap:
+ services:
+ - endpoint: internal
+ service: identity
+ engine:
+ jobs:
+ - heat-db-sync
+ - heat-rabbit-init
+ - heat-ks-user
+ - heat-trustee-ks-user
+ - heat-domain-ks-user
+ - heat-ks-endpoints
+ - heat-bootstrap
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: identity
+ engine_cleaner:
+ jobs:
+ - heat-db-sync
+ - heat-ks-user
+ - heat-trustee-ks-user
+ - heat-domain-ks-user
+ - heat-ks-endpoints
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: identity
+ purge_deleted:
+ jobs:
+ - heat-db-sync
+ - heat-ks-user
+ - heat-trustee-ks-user
+ - heat-domain-ks-user
+ - heat-ks-endpoints
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: identity
+ ks_endpoints:
+ jobs:
+ - heat-ks-service
+ services:
+ - endpoint: internal
+ service: identity
+ ks_service:
+ services:
+ - endpoint: internal
+ service: identity
+ ks_user:
+ services:
+ - endpoint: internal
+ service: identity
+ rabbit_init:
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ trusts:
+ jobs:
+ - heat-ks-user
+ - heat-trustee-ks-user
+ - heat-domain-ks-user
+ services:
+ - endpoint: internal
+ service: identity
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+ tests:
+ services:
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: orchestration
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: heat-keystone-admin
+ heat: heat-keystone-user
+ heat_trustee: heat-keystone-trustee
+ heat_stack_user: heat-keystone-stack-user
+ test: heat-keystone-test
+ oslo_db:
+ admin: heat-db-admin
+ heat: heat-db-user
+ oslo_messaging:
+ admin: heat-rabbitmq-admin
+ heat: heat-rabbitmq-user
+ tls:
+ orchestration:
+ api:
+ public: heat-tls-public
+ internal: heat-tls-api
+ cloudformation:
+ cfn:
+ public: cloudformation-tls-public
+ internal: heat-tls-cfn
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ identity:
+ name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ heat:
+ role: admin
+ region_name: RegionOne
+ username: heat
+ password: password
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ heat_trustee:
+ role: admin
+ region_name: RegionOne
+ username: heat-trust
+ password: password
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ heat_stack_user:
+ role: admin
+ region_name: RegionOne
+ username: heat-domain
+ password: password
+ domain_name: heat
+ test:
+ role: admin
+ region_name: RegionOne
+ username: heat-test
+ password: password
+ project_name: test
+ user_domain_name: service
+ project_domain_name: service
+ hosts:
+ default: keystone
+ internal: keystone-api
+ host_fqdn_override:
+ default: null
+ path:
+ default: /v3
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 80
+ internal: 5000
+ orchestration:
+ name: heat
+ hosts:
+ default: heat-api
+ public: heat
+ host_fqdn_override:
+ default: null
+ # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+ # endpoints using the following format:
+ # public:
+ # host: null
+ # tls:
+ # crt: null
+ # key: null
+ path:
+ default: '/v1/%(project_id)s'
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 8004
+ public: 80
+ cloudformation:
+ name: heat-cfn
+ hosts:
+ default: heat-cfn
+ public: cloudformation
+ host_fqdn_override:
+ default: null
+ # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+ # endpoints using the following format:
+ # public:
+ # host: null
+ # tls:
+ # crt: null
+ # key: null
+ path:
+ default: /v1
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 8000
+ public: 80
+ # Cloudwatch does not get an entry in the keystone service catalog
+ cloudwatch:
+ name: heat-cloudwatch
+ hosts:
+ default: heat-cloudwatch
+ public: cloudwatch
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ type: null
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 8003
+ public: 80
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ secret:
+ tls:
+ internal: mariadb-tls-direct
+ heat:
+ username: heat
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /heat
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ oslo_cache:
+ auth:
+ # NOTE(portdirect): this is used to define the value for keystone
+ # authtoken cache encryption key, if not set it will be populated
+ # automatically with a random value, but to take advantage of
+ # this feature all services should be set to use the same key,
+ # and memcache service.
+ memcache_secret_key: null
+ hosts:
+ default: memcached
+ host_fqdn_override:
+ default: null
+ port:
+ memcache:
+ default: 11211
+ oslo_messaging:
+ auth:
+ admin:
+ username: rabbitmq
+ password: password
+ secret:
+ tls:
+ internal: rabbitmq-tls-direct
+ heat:
+ username: heat
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /heat
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ http:
+ default: 15672
+ fluentd:
+ namespace: null
+ name: fluentd
+ hosts:
+ default: fluentd-logging
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: 'http'
+ port:
+ service:
+ default: 24224
+ metrics:
+ default: 24220
+ # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+ # They are using to enable the Egress K8s network policy.
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns:
+ default: 53
+ protocol: UDP
+ ingress:
+ namespace: null
+ name: ingress
+ hosts:
+ default: ingress
+ port:
+ ingress:
+ default: 80
+
+pod:
+ security_context:
+ heat:
+ pod:
+ runAsUser: 42424
+ container:
+ heat_api:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ heat_cfn:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ heat_cloudwatch:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ heat_engine:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ trusts:
+ pod:
+ runAsUser: 42424
+ container:
+ heat_trusts:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ ks_user:
+ pod:
+ runAsUser: 42424
+ container:
+ heat_ks_domain_user:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ engine_cleaner:
+ pod:
+ runAsUser: 42424
+ container:
+ heat_engine_cleaner:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ weight:
+ default: 10
+ mounts:
+ heat_api:
+ init_container: null
+ heat_api:
+ volumeMounts:
+ volumes:
+ heat_cfn:
+ init_container: null
+ heat_cfn:
+ volumeMounts:
+ volumes:
+ heat_cloudwatch:
+ init_container: null
+ heat_cloudwatch:
+ volumeMounts:
+ volumes:
+ heat_engine:
+ init_container: null
+ heat_engine:
+ volumeMounts:
+ volumes:
+ heat_bootstrap:
+ init_container: null
+ heat_bootstrap:
+ volumeMounts:
+ volumes:
+ heat_trusts:
+ init_container: null
+ heat_trusts:
+ volumeMounts:
+ volumes:
+ heat_engine_cleaner:
+ init_container: null
+ heat_engine_cleaner:
+ volumeMounts:
+ volumes:
+ heat_purge_deleted:
+ init_container: null
+ heat_purge_deleted:
+ volumeMounts:
+ volumes:
+ heat_tests:
+ init_container: null
+ heat_tests:
+ volumeMounts:
+ volumes:
+ heat_db_sync:
+ heat_db_sync:
+ volumeMounts:
+ volumes:
+ replicas:
+ api: 1
+ cfn: 1
+ cloudwatch: 1
+ engine: 1
+ lifecycle:
+ upgrades:
+ deployments:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+ disruption_budget:
+ api:
+ min_available: 0
+ cfn:
+ min_available: 0
+ cloudwatch:
+ min_available: 0
+ termination_grace_period:
+ api:
+ timeout: 30
+ cfn:
+ timeout: 30
+ cloudwatch:
+ timeout: 30
+ engine:
+ timeout: 30
+ resources:
+ enabled: false
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ cfn:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ cloudwatch:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ engine:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ bootstrap:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_drop:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_endpoints:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_service:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_user:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ rabbit_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ tests:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ trusts:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ engine_cleaner:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ purge_deleted:
+ requests:
+ memory: "124Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+
+network_policy:
+ heat:
+ ingress:
+ - {}
+ egress:
+ - {}
+
+# NOTE(helm_hook): helm_hook might break for helm2 binary.
+# set helm3_hook: false when using the helm2 binary.
+helm3_hook: true
+
+manifests:
+ certificates: false
+ configmap_bin: true
+ configmap_etc: true
+ cron_job_engine_cleaner: true
+ cron_job_purge_deleted: true
+ deployment_api: true
+ deployment_cfn: true
+ deployment_cloudwatch: false
+ deployment_engine: true
+ ingress_api: true
+ ingress_cfn: true
+ ingress_cloudwatch: false
+ job_bootstrap: true
+ job_db_init: true
+ job_db_sync: true
+ job_db_drop: false
+ job_image_repo_sync: true
+ job_ks_endpoints: true
+ job_ks_service: true
+ job_ks_user_domain: true
+ job_ks_user_trustee: true
+ job_ks_user: true
+ job_rabbit_init: true
+ pdb_api: true
+ pdb_cfn: true
+ pdb_cloudwatch: false
+ pod_rally_test: true
+ network_policy: false
+ secret_db: true
+ secret_ingress_tls: true
+ secret_keystone: true
+ secret_rabbitmq: true
+ service_api: true
+ service_cfn: true
+ service_cloudwatch: false
+ service_ingress_api: true
+ service_ingress_cfn: true
+ service_ingress_cloudwatch: false
+ statefulset_engine: false
+...
diff --git a/charts/horizon/.helmignore b/charts/horizon/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/horizon/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/horizon/Chart.yaml b/charts/horizon/Chart.yaml
new file mode 100644
index 0000000..40de3cb
--- /dev/null
+++ b/charts/horizon/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Horizon
+home: https://docs.openstack.org/horizon/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Horizon/OpenStack_Project_Horizon_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: horizon
+sources:
+- https://opendev.org/openstack/horizon
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.24
diff --git a/charts/horizon/charts/helm-toolkit/Chart.yaml b/charts/horizon/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..d90280e
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.44
diff --git a/charts/horizon/charts/helm-toolkit/requirements.yaml b/charts/horizon/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/horizon/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..7846895
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,729 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network.server.ingress -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a authenticating a registry with a secret
+examples:
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/horizon/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..516d79e
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,514 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+ local A_FILE="$1"
+ awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f fd ]]; then
+ rm -f fd
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ fi
+ done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ get_backup_prefix $(cat $DB_BACKUP_FILES)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+ remove_old_remote_archives
+ done
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f8-
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+ - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/horizon/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/horizon/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_template.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/horizon/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/horizon/charts/helm-toolkit/values.yaml b/charts/horizon/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/horizon/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/horizon/requirements.lock b/charts/horizon/requirements.lock
new file mode 100644
index 0000000..7dabb14
--- /dev/null
+++ b/charts/horizon/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: 0.2.44
+digest: sha256:d3a834e34152bf30319ac30e116adc128b474ca63bbbe0fb323a7a2365a56455
+generated: "2022-08-10T23:42:39.798166264Z"
diff --git a/charts/horizon/requirements.yaml b/charts/horizon/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/horizon/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: ">= 0.1.0"
diff --git a/charts/horizon/templates/bin/_db-sync.sh.tpl b/charts/horizon/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..7ef6a84
--- /dev/null
+++ b/charts/horizon/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+SITE_PACKAGES_ROOT=$(python -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")
+rm -f ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+ln -s /etc/openstack-dashboard/local_settings ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+
+exec /tmp/manage.py migrate --noinput
diff --git a/charts/horizon/templates/bin/_django.wsgi.tpl b/charts/horizon/templates/bin/_django.wsgi.tpl
new file mode 100644
index 0000000..578ab50
--- /dev/null
+++ b/charts/horizon/templates/bin/_django.wsgi.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+NOTE (Portdirect): This file is required to support Horizon regardless of the
+image used, and to provide PyMySQL support.
+*/}}
+
+import logging
+import os
+import sys
+
+import pymysql
+
+pymysql.version_info = (1, 3, 13, "final", 0)
+pymysql.install_as_MySQLdb()
+
+from django.core.wsgi import get_wsgi_application
+from django.conf import settings
+
+# Add this file path to sys.path in order to import settings
+sys.path.insert(0, os.path.join(os.path.dirname(os.path.realpath(__file__)), '../..'))
+os.environ['DJANGO_SETTINGS_MODULE'] = 'openstack_dashboard.settings'
+sys.stdout = sys.stderr
+
+DEBUG = False
+
+application = get_wsgi_application()
diff --git a/charts/horizon/templates/bin/_horizon.sh.tpl b/charts/horizon/templates/bin/_horizon.sh.tpl
new file mode 100644
index 0000000..1fedecd
--- /dev/null
+++ b/charts/horizon/templates/bin/_horizon.sh.tpl
@@ -0,0 +1,99 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ SITE_PACKAGES_ROOT=$(python -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")
+ rm -f ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+ ln -s /etc/openstack-dashboard/local_settings ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+ ln -s ${SITE_PACKAGES_ROOT}/openstack_dashboard/conf/default_policies /etc/openstack-dashboard/default_policies
+ {{- range $key, $value := .Values.conf.horizon.local_settings_d }}
+ ln -s /etc/openstack-dashboard/local_settings.d/{{ $key }}.py ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.d/{{ $key }}.py
+ {{- end }}
+ # wsgi/horizon-http needs open files here, including secret_key_store
+ chown -R horizon ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/
+
+ {{- if .Values.conf.software.apache2.a2enmod }}
+ {{- range .Values.conf.software.apache2.a2enmod }}
+ a2enmod {{ . }}
+ {{- end }}
+ {{- end }}
+
+ {{- if .Values.conf.software.apache2.a2dismod }}
+ {{- range .Values.conf.software.apache2.a2dismod }}
+ a2dismod {{ . }}
+ {{- end }}
+ {{- end }}
+
+ if [ -f /etc/apache2/envvars ]; then
+ # Loading Apache2 ENV variables
+ source /etc/apache2/envvars
+ # The directory below has to be created due to the fact that
+ # libapache2-mod-wsgi-py3 doesn't create it in contrary by libapache2-mod-wsgi
+ if [ ! -d ${APACHE_RUN_DIR} ]; then
+ mkdir -p ${APACHE_RUN_DIR}
+ fi
+ fi
+ rm -rf /var/run/apache2/*
+ APACHE_DIR="apache2"
+
+ # Add extra panels if available
+ {{- range .Values.conf.horizon.extra_panels }}
+ PANEL_DIR="${SITE_PACKAGES_ROOT}/{{ . }}/enabled"
+ if [ -d ${PANEL_DIR} ];then
+ for panel in `ls -1 ${PANEL_DIR}/_[1-9]*.py`
+ do
+ ln -s ${panel} ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/enabled/$(basename ${panel})
+ done
+ fi
+ unset PANEL_DIR
+ {{- end }}
+
+ # If the image has support for it, compile the translations
+ if type -p gettext >/dev/null 2>/dev/null; then
+ cd ${SITE_PACKAGES_ROOT}/openstack_dashboard; /tmp/manage.py compilemessages
+ # if there are extra panels and the image has support for it, compile the translations
+ {{- range .Values.conf.horizon.extra_panels }}
+ PANEL_DIR="${SITE_PACKAGES_ROOT}/{{ . }}"
+ if [ -d ${PANEL_DIR} ]; then
+ cd ${PANEL_DIR}; /tmp/manage.py compilemessages
+ fi
+ {{- end }}
+ unset PANEL_DIR
+ fi
+
+ # Copy custom logo images
+ {{- if .Values.manifests.configmap_logo }}
+ cp /tmp/favicon.ico ${SITE_PACKAGES_ROOT}/openstack_dashboard/static/dashboard/img/favicon.ico
+ cp /tmp/logo.svg ${SITE_PACKAGES_ROOT}/openstack_dashboard/static/dashboard/img/logo.svg
+ cp /tmp/logo-splash.svg ${SITE_PACKAGES_ROOT}/openstack_dashboard/static/dashboard/img/logo-splash.svg
+ {{- end }}
+
+ # Compress Horizon's assets.
+ /tmp/manage.py collectstatic --noinput
+ /tmp/manage.py compress --force
+ rm -rf /tmp/_tmp_.secret_key_store.lock /tmp/.secret_key_store
+ chmod +x ${SITE_PACKAGES_ROOT}/django/core/wsgi.py
+ exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+}
+
+function stop () {
+ {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+}
+
+$COMMAND
diff --git a/charts/horizon/templates/bin/_manage.py.tpl b/charts/horizon/templates/bin/_manage.py.tpl
new file mode 100644
index 0000000..a49cffe
--- /dev/null
+++ b/charts/horizon/templates/bin/_manage.py.tpl
@@ -0,0 +1,34 @@
+#!/usr/bin/env python
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+NOTE (Portdirect): This file is required to support Horizon regardless of the
+image used, and to provide PyMySQL support.
+*/}}
+
+import os
+import sys
+
+import pymysql
+pymysql.version_info = (1, 3, 13, "final", 0)
+pymysql.install_as_MySQLdb()
+
+from django.core.management import execute_from_command_line
+
+if __name__ == "__main__":
+ os.environ.setdefault("DJANGO_SETTINGS_MODULE",
+ "openstack_dashboard.settings")
+ execute_from_command_line(sys.argv)
diff --git a/charts/horizon/templates/bin/_selenium-test.py.tpl b/charts/horizon/templates/bin/_selenium-test.py.tpl
new file mode 100644
index 0000000..14cae8a
--- /dev/null
+++ b/charts/horizon/templates/bin/_selenium-test.py.tpl
@@ -0,0 +1,90 @@
+#!/usr/bin/env python3
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+import os
+import sys
+import logging
+
+from selenium import webdriver
+from selenium.webdriver.common.by import By
+from selenium.webdriver.support.ui import WebDriverWait
+from selenium.webdriver.support import expected_conditions as EC
+from selenium.webdriver.chrome.options import Options
+from selenium.common.exceptions import TimeoutException
+from selenium.common.exceptions import NoSuchElementException
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('Horizon Selenium Tests')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter(
+ '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+)
+
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+def get_variable(env_var):
+ if env_var in os.environ:
+ logger.info('Found "{}"'.format(env_var))
+ return os.environ[env_var]
+ else:
+ logger.critical('Variable "{}" is not defined!'.format(env_var))
+ sys.exit(1)
+
+
+keystone_user = get_variable('OS_USERNAME')
+keystone_password = get_variable('OS_PASSWORD')
+horizon_uri = get_variable('HORIZON_URI')
+user_domain_name = get_variable('OS_USER_DOMAIN_NAME')
+
+# Add options to make chrome browser headless
+options = Options()
+options.add_argument('--headless')
+options.add_argument('--no-sandbox')
+chrome_driver = '/etc/selenium/chromedriver'
+browser = webdriver.Chrome(chrome_driver, chrome_options=options)
+
+try:
+ logger.info('Attempting to connect to Horizon')
+ browser.get(horizon_uri)
+ el = WebDriverWait(browser, 15).until(
+ EC.title_contains('OpenStack Dashboard')
+ )
+ logger.info('Connected to Horizon')
+except TimeoutException:
+ logger.critical('Timed out waiting for Horizon')
+ browser.quit()
+ sys.exit(1)
+
+try:
+ logger.info('Attempting to log into Horizon')
+ browser.find_element_by_name('domain').send_keys(user_domain_name)
+ browser.find_element_by_name('username').send_keys(keystone_user)
+ browser.find_element_by_name('password').send_keys(keystone_password)
+ browser.find_element_by_id('loginBtn').click()
+ WebDriverWait(browser, 15).until(
+ EC.presence_of_element_located((By.ID, 'navbar-collapse'))
+ )
+ logger.info("Successfully logged into Horizon")
+except (TimeoutException, NoSuchElementException):
+ logger.error('Failed to login to Horizon')
+ browser.quit()
+ sys.exit(1)
+
+browser.quit()
diff --git a/charts/horizon/templates/certificates.yaml b/charts/horizon/templates/certificates.yaml
new file mode 100644
index 0000000..8dbb884
--- /dev/null
+++ b/charts/horizon/templates/certificates.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{ dict "envAll" . "service" "dashboard" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/charts/horizon/templates/configmap-bin.yaml b/charts/horizon/templates/configmap-bin.yaml
new file mode 100644
index 0000000..5107499
--- /dev/null
+++ b/charts/horizon/templates/configmap-bin.yaml
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: horizon-bin
+data:
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+ db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+ db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+ horizon.sh: |
+{{ tuple "bin/_horizon.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ manage.py: |
+{{ tuple "bin/_manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ django.wsgi: |
+{{ tuple "bin/_django.wsgi.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ selenium-test.py: |
+{{ tuple "bin/_selenium-test.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/horizon/templates/configmap-etc.yaml b/charts/horizon/templates/configmap-etc.yaml
new file mode 100644
index 0000000..d02cf2b
--- /dev/null
+++ b/charts/horizon/templates/configmap-etc.yaml
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: horizon-etc
+type: Opaque
+data:
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.apache "key" "horizon.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.local_settings.template "key" "local_settings" "format" "Secret" ) | indent 2 }}
+{{- if .Values.conf.horizon.security }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
+{{- range $key, $value := .Values.conf.horizon.policy }}
+ {{ printf "%s_policy.json" $key }}: {{ $value | toPrettyJson | b64enc }}
+{{- end }}
+{{- range $key, $value := .Values.conf.horizon.policy }}
+ {{ printf "%s_policy.yaml" $key }}: {{ toYaml $value | b64enc }}
+{{- end }}
+{{- range $key, $value := .Values.conf.horizon.local_settings_d }}
+ {{ printf "%s.py" $key }}: {{ $value | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/templates/configmap-logo.yaml b/charts/horizon/templates/configmap-logo.yaml
new file mode 100644
index 0000000..4f67f01
--- /dev/null
+++ b/charts/horizon/templates/configmap-logo.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_logo }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: horizon-logo
+binaryData:
+ favicon.ico: {{ .Values.conf.horizon.branding.favicon }}
+data:
+ logo-splash.svg: {{ .Values.conf.horizon.branding.logo_splash | nindent 4 }}
+ logo.svg: {{ .Values.conf.horizon.branding.logo | nindent 4 }}
+{{- end }}
diff --git a/charts/horizon/templates/deployment.yaml b/charts/horizon/templates/deployment.yaml
new file mode 100644
index 0000000..e3978c5
--- /dev/null
+++ b/charts/horizon/templates/deployment.yaml
@@ -0,0 +1,186 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment }}
+{{- $envAll := . }}
+
+{{- $mounts_horizon := .Values.pod.mounts.horizon.horizon }}
+{{- $mounts_horizon_init := .Values.pod.mounts.horizon.init_container }}
+
+{{- $serviceAccountName := "horizon" }}
+{{ tuple $envAll "dashboard" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: horizon
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.server }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "horizon" "containerNames" (list "horizon" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "horizon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.dashboard.node_selector_key }}: {{ .Values.labels.dashboard.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.horizon.enabled }}
+{{ tuple $envAll "horizon" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.horizon.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "dashboard" $mounts_horizon_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: horizon
+{{ tuple $envAll "horizon" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "horizon" "container" "horizon" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/horizon.sh
+ - start
+ env:
+ - name: MY_POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/horizon.sh
+ - stop
+ ports:
+ - name: web
+ containerPort: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ readinessProbe:
+ httpGet:
+ scheme: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+ path: /
+ port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ initialDelaySeconds: 15
+ periodSeconds: 10
+ livenessProbe:
+ httpGet:
+ scheme: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+ path: /
+ port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ initialDelaySeconds: 180
+ periodSeconds: 60
+ timeoutSeconds: 5
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: static-horizon
+ mountPath: /var/www/html/
+ - name: horizon-bin
+ mountPath: /tmp/horizon.sh
+ subPath: horizon.sh
+ readOnly: true
+ - name: horizon-bin
+ mountPath: /tmp/manage.py
+ subPath: manage.py
+ readOnly: true
+ - name: horizon-etc
+ mountPath: {{ .Values.conf.software.apache2.site_dir }}/000-default.conf
+ subPath: horizon.conf
+ readOnly: true
+ {{- if .Values.conf.horizon.security }}
+ - name: horizon-etc
+ mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
+ subPath: security.conf
+ readOnly: true
+ {{- end }}
+ - name: horizon-bin
+ mountPath: /var/www/cgi-bin/horizon/django.wsgi
+ subPath: django.wsgi
+ readOnly: true
+ - name: horizon-etc
+ mountPath: /etc/openstack-dashboard/local_settings
+ subPath: local_settings
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.horizon.policy }}
+ {{- $policyYamlFile := printf "/etc/openstack-dashboard/%s_policy.yaml" $key }}
+ - name: horizon-etc
+ mountPath: {{ $policyYamlFile }}
+ subPath: {{ base $policyYamlFile }}
+ readOnly: true
+ {{- end }}
+ {{- range $key, $value := $envAll.Values.conf.horizon.policy }}
+ {{- $policyJsonFile := printf "/etc/openstack-dashboard/%s_policy.json" $key }}
+ - name: horizon-etc
+ mountPath: {{ $policyJsonFile }}
+ subPath: {{ base $policyJsonFile }}
+ readOnly: true
+ {{- end }}
+ {{- range $key, $value := $envAll.Values.conf.horizon.local_settings_d }}
+ {{- $localSettingsFile := printf "/etc/openstack-dashboard/local_settings.d/%s.py" $key }}
+ - name: horizon-etc
+ mountPath: {{ $localSettingsFile }}
+ subPath: {{ base $localSettingsFile }}
+ readOnly: true
+ {{- end }}
+ {{- if .Values.manifests.configmap_logo }}
+ - name: horizon-logo
+ mountPath: /tmp/logo.svg
+ subPath: logo.svg
+ - name: horizon-logo
+ mountPath: /tmp/logo-splash.svg
+ subPath: logo-splash.svg
+ - name: horizon-logo
+ mountPath: /tmp/favicon.ico
+ subPath: favicon.ico
+ {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.internal "path" "/etc/openstack-dashboard/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: wsgi-horizon
+ emptyDir: {}
+ - name: static-horizon
+ emptyDir: {}
+ - name: horizon-bin
+ configMap:
+ name: horizon-bin
+ defaultMode: 0555
+ - name: horizon-etc
+ secret:
+ secretName: horizon-etc
+ defaultMode: 0444
+ {{- if .Values.manifests.configmap_logo }}
+ - name: horizon-logo
+ configMap:
+ name: horizon-logo
+ {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/horizon/templates/ingress-api.yaml b/charts/horizon/templates/ingress-api.yaml
new file mode 100644
index 0000000..252ac52
--- /dev/null
+++ b/charts/horizon/templates/ingress-api.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.dashboard.ingress.public }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "dashboard" "backendServiceType" "dashboard" "backendPort" "web" -}}
+{{- $secretName := $envAll.Values.secrets.tls.dashboard.dashboard.internal -}}
+{{- if and .Values.manifests.certificates $secretName -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.dashboard.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/horizon/templates/job-db-drop.yaml b/charts/horizon/templates/job-db-drop.yaml
new file mode 100644
index 0000000..6f761d7
--- /dev/null
+++ b/charts/horizon/templates/job-db-drop.yaml
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}}
+{{- $dbDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.horizon.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/horizon/templates/job-db-init.yaml b/charts/horizon/templates/job-db-init.yaml
new file mode 100644
index 0000000..67169b5
--- /dev/null
+++ b/charts/horizon/templates/job-db-init.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}}
+{{- $dbInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.horizon.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/horizon/templates/job-db-sync.yaml b/charts/horizon/templates/job-db-sync.yaml
new file mode 100644
index 0000000..c2229cd
--- /dev/null
+++ b/charts/horizon/templates/job-db-sync.yaml
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $envAll := . }}
+
+{{- $mounts_horizon_db_sync := .Values.pod.mounts.horizon_db_sync.horizon_db_sync }}
+{{- $mounts_horizon_db_sync_init := .Values.pod.mounts.horizon_db_sync.init_container }}
+
+{{- $serviceAccountName := "horizon-db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: horizon-db-sync
+ labels:
+{{ tuple $envAll "horizon" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+{{- if .Values.helm3_hook }}
+ helm.sh/hook: post-install,post-upgrade
+ helm.sh/hook-weight: "-4"
+{{- end }}
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "horizon" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ dict "envAll" $envAll "podName" "horizon-db-sync" "containerNames" (list "horizon-db-sync" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "db_sync" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.horizon.enabled }}
+{{ tuple $envAll "horizon" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ initContainers:
+{{ tuple $envAll "db_sync" $mounts_horizon_db_sync_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: horizon-db-sync
+{{ tuple $envAll "horizon_db_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "db_sync" "container" "horizon_db_sync" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: horizon-etc
+ mountPath: /etc/openstack-dashboard/local_settings
+ subPath: local_settings
+ readOnly: true
+ - name: horizon-bin
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: horizon-bin
+ mountPath: /tmp/manage.py
+ subPath: manage.py
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 10 }}
+{{ if $mounts_horizon_db_sync.volumeMounts }}{{ toYaml $mounts_horizon_db_sync.volumeMounts | indent 10 }}{{ end }}
+ volumes:
+ - name: horizon-etc
+ secret:
+ secretName: horizon-etc
+ defaultMode: 0444
+ - name: horizon-bin
+ configMap:
+ name: horizon-bin
+ defaultMode: 0555
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 6 }}
+{{ if $mounts_horizon_db_sync.volumes }}{{ toYaml $mounts_horizon_db_sync.volumes | indent 6 }}{{ end }}
+{{- end }}
diff --git a/charts/horizon/templates/job-image-repo-sync.yaml b/charts/horizon/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..e98bbb2
--- /dev/null
+++ b/charts/horizon/templates/job-image-repo-sync.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "horizon" -}}
+{{- if .Values.pod.tolerations.horizon.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/horizon/templates/network_policy.yaml b/charts/horizon/templates/network_policy.yaml
new file mode 100644
index 0000000..edba466
--- /dev/null
+++ b/charts/horizon/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "horizon" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/horizon/templates/pdb.yaml b/charts/horizon/templates/pdb.yaml
new file mode 100644
index 0000000..7967985
--- /dev/null
+++ b/charts/horizon/templates/pdb.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: horizon
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.horizon.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/horizon/templates/pod-helm-tests.yaml b/charts/horizon/templates/pod-helm-tests.yaml
new file mode 100644
index 0000000..dbcb9a3
--- /dev/null
+++ b/charts/horizon/templates/pod-helm-tests.yaml
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_helm_test }}
+{{- $envAll := . }}
+
+{{- $mounts_tests := .Values.pod.mounts.horizon_tests.horizon_tests }}
+{{- $mounts_tests_init := .Values.pod.mounts.horizon_tests.init_container }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ print $envAll.Release.Name "-test" }}
+ labels:
+{{ tuple $envAll "horizon" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ "helm.sh/hook": test-success
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "horizon-test" "containerNames" (list "init" "horizon-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
+ restartPolicy: Never
+ serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.horizon.enabled }}
+{{ tuple $envAll "horizon" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+ containers:
+ - name: horizon-test
+{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "horizon_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
+ command:
+ - /tmp/selenium-test.py
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: HORIZON_URI
+ value: {{ tuple "dashboard" "public" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: horizon-bin
+ mountPath: /tmp/selenium-test.py
+ subPath: selenium-test.py
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: horizon-bin
+ configMap:
+ name: horizon-bin
+ defaultMode: 0555
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/horizon/templates/secret-db.yaml b/charts/horizon/templates/secret-db.yaml
new file mode 100644
index 0000000..cfc7dac
--- /dev/null
+++ b/charts/horizon/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "horizon" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+ DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+ DB_CONNECTION: {{ $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/horizon/templates/secret-ingress-tls.yaml b/charts/horizon/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..fb37f7f
--- /dev/null
+++ b/charts/horizon/templates/secret-ingress-tls.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "dashboard" "backendServiceType" "dashboard" ) }}
+{{- end }}
diff --git a/charts/horizon/templates/secret-keystone.yaml b/charts/horizon/templates/secret-keystone.yaml
new file mode 100644
index 0000000..7286f3f
--- /dev/null
+++ b/charts/horizon/templates/secret-keystone.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- $secretName := index $envAll.Values.secrets.identity.admin }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple "admin" "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
diff --git a/charts/horizon/templates/service-ingress.yaml b/charts/horizon/templates/service-ingress.yaml
new file mode 100644
index 0000000..6adac84
--- /dev/null
+++ b/charts/horizon/templates/service-ingress.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress .Values.network.dashboard.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "dashboard" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/horizon/templates/service.yaml b/charts/horizon/templates/service.yaml
new file mode 100644
index 0000000..579e73f
--- /dev/null
+++ b/charts/horizon/templates/service.yaml
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "dashboard" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ {{ if .Values.network.node_port.enabled }}
+ - name: web
+ protocol: TCP
+ nodePort: {{ .Values.network.node_port.port }}
+ port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ targetPort: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ else }}
+ - name: web
+ protocol: TCP
+ port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ targetPort: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.node_port.enabled }}
+ type: NodePort
+ {{ if .Values.network.external_policy_local }}
+ externalTrafficPolicy: Local
+ {{ end }}
+ {{ end }}
+{{- end }}
diff --git a/charts/horizon/values.yaml b/charts/horizon/values.yaml
new file mode 100644
index 0000000..4ea901b
--- /dev/null
+++ b/charts/horizon/values.yaml
@@ -0,0 +1,1381 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for horizon.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+images:
+ tags:
+ db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ horizon_db_sync: docker.io/openstackhelm/horizon:stein-ubuntu_bionic
+ db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ horizon: docker.io/openstackhelm/horizon:stein-ubuntu_bionic
+ test: docker.io/openstackhelm/osh-selenium:latest-ubuntu_bionic
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ image_repo_sync: docker.io/docker:17.07.0
+ pull_policy: "IfNotPresent"
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+release_group: null
+
+labels:
+ dashboard:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ job:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ test:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+network:
+ dashboard:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ external_policy_local: false
+ node_port:
+ enabled: false
+ port: 31000
+
+conf:
+ software:
+ apache2:
+ binary: apache2
+ start_parameters: -DFOREGROUND
+ site_dir: /etc/apache2/sites-available
+ conf_dir: /etc/apache2/conf-available
+ mods_dir: /etc/apache2/mods-available
+ a2enmod:
+ - headers
+ - rewrite
+ a2dismod:
+ - status
+ horizon:
+ branding:
+ logo:
+ logo_splash:
+ favicon:
+ apache: |
+ <IfVersion < 2.4>
+ Listen 0.0.0.0:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ </IfVersion>
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+
+ <VirtualHost *:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
+ WSGIScriptReloading On
+ WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
+ WSGIProcessGroup horizon-http
+ WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi
+ WSGIPassAuthorization On
+ RewriteEngine on
+ RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE|PATCH)
+ RewriteRule .* - [F]
+
+ <Location "/">
+ Require all granted
+ </Location>
+
+ Alias /static /var/www/html/horizon
+ <Location "/static">
+ SetHandler static
+ </Location>
+
+ <IfVersion >= 2.4>
+ ErrorLogFormat "%{cu}t %M"
+ </IfVersion>
+ ErrorLog /dev/stdout
+ TransferLog /dev/stdout
+
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+ </Virtualhost>
+ security: |
+ #
+ # Disable access to the entire file system except for the directories that
+ # are explicitly allowed later.
+ #
+ # This currently breaks the configurations that come with some web application
+ # Debian packages.
+ #
+ #<Directory />
+ # AllowOverride None
+ # Require all denied
+ #</Directory>
+
+ # Changing the following options will not really affect the security of the
+ # server, but might make attacks slightly more difficult in some cases.
+
+ #
+ # ServerTokens
+ # This directive configures what you return as the Server HTTP response
+ # Header. The default is 'Full' which sends information about the OS-Type
+ # and compiled in modules.
+ # Set to one of: Full | OS | Minimal | Minor | Major | Prod
+ # where Full conveys the most information, and Prod the least.
+ ServerTokens Prod
+
+ #
+ # Optionally add a line containing the server version and virtual host
+ # name to server-generated pages (internal error documents, FTP directory
+ # listings, mod_status and mod_info output etc., but not CGI generated
+ # documents or custom error documents).
+ # Set to "EMail" to also include a mailto: link to the ServerAdmin.
+ # Set to one of: On | Off | EMail
+ ServerSignature Off
+
+ #
+ # Allow TRACE method
+ #
+ # Set to "extended" to also reflect the request body (only for testing and
+ # diagnostic purposes).
+ #
+ # Set to one of: On | Off | extended
+ TraceEnable Off
+
+ #
+ # Forbid access to version control directories
+ #
+ # If you use version control systems in your document root, you should
+ # probably deny access to their directories. For example, for subversion:
+ #
+ #<DirectoryMatch "/\.svn">
+ # Require all denied
+ #</DirectoryMatch>
+
+ #Security-Settings
+ # Setting this header will prevent MSIE from interpreting files as something
+ # else than declared by the content type in the HTTP headers.
+ # Requires mod_headers to be enabled.
+ #
+ Header set X-Content-Type-Options: "nosniff"
+ Header set X-Permitted-Cross-Domain-Policies: "none"
+ # Setting this header will prevent other sites from embedding pages from this
+ # site as frames. This defends against clickjacking attacks.
+ # Requires mod_headers to be enabled.
+ #
+ local_settings_d: {}
+ ## For example, _50_monasca_ui_settings.py
+ # _50_monasca_ui_settings: |
+ # from django.conf import settings
+ # # Grafana button titles/file names (global across all projects):
+ # GRAFANA_LINKS = []
+ # DASHBOARDS = getattr(settings, 'GRAFANA_LINKS', GRAFANA_LINKS)
+
+ local_settings:
+ config:
+ # Use "True" and "False" as Titlecase strings with quotes, boolean
+ # values will not work
+ horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c
+ debug: "False"
+ use_ssl: "False"
+ endpoint_type: "internalURL"
+ keystone_multidomain_support: "True"
+ keystone_default_domain: Default
+ disable_password_reveal: "True"
+ show_openrc_file: "True"
+ csrf_cookie_secure: "False"
+ csrf_cookie_httponly: "False"
+ enforce_password_check: "True"
+ # Set enable_pwd_validator to true to enforce password validator settings.
+ enable_pwd_validator: false
+ pwd_validator_regex: '(?=.*[a-zA-Z])(?=.*\d).{8,}|(?=.*\d)(?=.*\W).{8,}|(?=.*\W)(?=.*[a-zA-Z]).{8,}'
+ pwd_validator_help_text: '_("Your password must be at least eight (8) characters in length and must include characters from at least two (2) of these groupings: alpha, numeric, and special characters.")'
+ session_cookie_secure: "False"
+ session_cookie_httponly: "False"
+ secure_proxy_ssl_header: false
+ password_autocomplete: "False"
+ disallow_iframe_embed: "False"
+ allowed_hosts:
+ - '*'
+ horizon_images_upload_mode: 'legacy'
+ openstack_cinder_features:
+ enable_backup: "True"
+ openstack_neutron_network:
+ enable_router: "True"
+ enable_quotas: "True"
+ enable_ipv6: "True"
+ enable_distributed_router: "False"
+ enable_ha_router: "False"
+ enable_lb: "True"
+ enable_firewall: "True"
+ enable_vpn: "True"
+ enable_fip_topology_check: "True"
+ openstack_enable_password_retrieve: "False"
+ auth:
+ sso:
+ enabled: False
+ initial_choice: "credentials"
+ idp_mapping:
+ - name: "acme_oidc"
+ label: "Acme Corporation - OpenID Connect"
+ idp: "myidp1"
+ protocol: "oidc"
+ - name: "acme_saml2"
+ label: "Acme Corporation - SAML2"
+ idp: "myidp2"
+ protocol: "saml2"
+ log_level: "DEBUG"
+ # Pass any settings to the end of local_settings.py
+ raw: {}
+ openstack_api_versions:
+ container_infra: "1.19"
+ template: |
+ import os
+
+ from django.utils.translation import ugettext_lazy as _
+
+ from openstack_dashboard import exceptions
+
+ DEBUG = {{ .Values.conf.horizon.local_settings.config.debug }}
+ TEMPLATE_DEBUG = DEBUG
+
+ COMPRESS_OFFLINE = True
+ COMPRESS_CSS_HASHING_METHOD = "hash"
+
+ # WEBROOT is the location relative to Webserver root
+ # should end with a slash.
+ WEBROOT = '/'
+ # LOGIN_URL = WEBROOT + 'auth/login/'
+ # LOGOUT_URL = WEBROOT + 'auth/logout/'
+ #
+ # LOGIN_REDIRECT_URL can be used as an alternative for
+ # HORIZON_CONFIG.user_home, if user_home is not set.
+ # Do not set it to '/home/', as this will cause circular redirect loop
+ # LOGIN_REDIRECT_URL = WEBROOT
+
+ # Required for Django 1.5.
+ # If horizon is running in production (DEBUG is False), set this
+ # with the list of host/domain names that the application can serve.
+ # For more information see:
+ # https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
+ ALLOWED_HOSTS = [{{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.conf.horizon.local_settings.config.allowed_hosts }},'%s' % (os.environ.get("MY_POD_IP"))]
+
+ # Set SSL proxy settings:
+ # For Django 1.4+ pass this header from the proxy after terminating the SSL,
+ # and don't forget to strip it from the client's request.
+ # For more information see:
+ # https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
+ #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
+ # https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header
+ {{- if .Values.conf.horizon.local_settings.config.secure_proxy_ssl_header }}
+ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+ {{- end }}
+
+ # If Horizon is being served through SSL, then uncomment the following two
+ # settings to better secure the cookies from security exploits
+ USE_SSL = {{ .Values.conf.horizon.local_settings.config.use_ssl }}
+ CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
+ CSRF_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_httponly }}
+ SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}
+
+ SESSION_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}
+
+ # Overrides for OpenStack API versions. Use this setting to force the
+ # OpenStack dashboard to use a specific API version for a given service API.
+ # Versions specified here should be integers or floats, not strings.
+ # NOTE: The version should be formatted as it appears in the URL for the
+ # service API. For example, The identity service APIs have inconsistent
+ # use of the decimal point, so valid options would be 2.0 or 3.
+ #OPENSTACK_API_VERSIONS = {
+ # "data-processing": 1.1,
+ # "identity": 3,
+ # "volume": 2,
+ #}
+
+ OPENSTACK_API_VERSIONS = {
+ "identity": 3,
+ "container-infra": {{ .Values.conf.horizon.local_settings.config.openstack_api_versions.container_infra }}
+ }
+
+ # Set this to True if running on multi-domain model. When this is enabled, it
+ # will require user to enter the Domain name in addition to username for login.
+ OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = {{ .Values.conf.horizon.local_settings.config.keystone_multidomain_support }}
+
+ # Overrides the default domain used when running on single-domain model
+ # with Keystone V3. All entities will be created in the default domain.
+ OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = '{{ .Values.conf.horizon.local_settings.config.keystone_default_domain }}'
+
+ # Set Console type:
+ # valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL" or None
+ # Set to None explicitly if you want to deactivate the console.
+ #CONSOLE_TYPE = "AUTO"
+
+ # Default OpenStack Dashboard configuration.
+ HORIZON_CONFIG = {
+ 'user_home': 'openstack_dashboard.views.get_user_home',
+ 'ajax_queue_limit': 10,
+ 'auto_fade_alerts': {
+ 'delay': 3000,
+ 'fade_duration': 1500,
+ 'types': ['alert-success', 'alert-info']
+ },
+ 'help_url': "http://docs.openstack.org",
+ 'exceptions': {'recoverable': exceptions.RECOVERABLE,
+ 'not_found': exceptions.NOT_FOUND,
+ 'unauthorized': exceptions.UNAUTHORIZED},
+ 'modal_backdrop': 'static',
+ 'angular_modules': [],
+ 'js_files': [],
+ 'js_spec_files': [],
+ }
+
+ {{- if .Values.conf.horizon.local_settings.config.enable_pwd_validator }}
+ # Specify a regular expression to validate user passwords.
+ HORIZON_CONFIG["password_validator"] = {
+ "regex": '{{ .Values.conf.horizon.local_settings.config.pwd_validator_regex }}',
+ "help_text": {{ .Values.conf.horizon.local_settings.config.pwd_validator_help_text }},
+ }
+ {{- end }}
+
+ # Disable simplified floating IP address management for deployments with
+ # multiple floating IP pools or complex network requirements.
+ #HORIZON_CONFIG["simple_ip_management"] = False
+
+ # Turn off browser autocompletion for forms including the login form and
+ # the database creation workflow if so desired.
+ HORIZON_CONFIG["password_autocomplete"] = '{{ .Values.conf.horizon.local_settings.config.password_autocomplete }}'
+
+ # Setting this to True will disable the reveal button for password fields,
+ # including on the login form.
+ HORIZON_CONFIG["disable_password_reveal"] = {{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}
+
+ LOCAL_PATH = '/tmp'
+
+ # Set custom secret key:
+ # You can either set it to a specific value or you can let horizon generate a
+ # default secret key that is unique on this machine, e.i. regardless of the
+ # amount of Python WSGI workers (if used behind Apache+mod_wsgi): However,
+ # there may be situations where you would want to set this explicitly, e.g.
+ # when multiple dashboard instances are distributed on different machines
+ # (usually behind a load-balancer). Either you have to make sure that a session
+ # gets all requests routed to the same dashboard instance or you set the same
+ # SECRET_KEY for all of them.
+ SECRET_KEY='{{ .Values.conf.horizon.local_settings.config.horizon_secret_key }}'
+
+ CACHES = {
+ 'default': {
+ 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
+ 'LOCATION': '{{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}',
+ }
+ }
+ DATABASES = {
+ 'default': {
+ # Database configuration here
+ 'ENGINE': 'django.db.backends.mysql',
+ 'NAME': '{{ .Values.endpoints.oslo_db.path | base }}',
+ 'USER': '{{ .Values.endpoints.oslo_db.auth.horizon.username }}',
+ 'PASSWORD': '{{ .Values.endpoints.oslo_db.auth.horizon.password }}',
+ 'HOST': '{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}',
+ 'default-character-set': 'utf8',
+ {{- if .Values.manifests.certificates }}
+ 'OPTIONS':{
+ 'ssl': {
+ 'ca': '/etc/mysql/certs/ca.crt',
+ 'cert': '/etc/mysql/certs/tls.crt',
+ 'key': '/etc/mysql/certs/tls.key'
+ }
+ },
+ {{- end }}
+ 'PORT': '{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}'
+ }
+ }
+ SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'
+
+ # Send email to the console by default
+ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
+ # Or send them to /dev/null
+ #EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend'
+
+ # Configure these for your outgoing email host
+ #EMAIL_HOST = 'smtp.my-company.com'
+ #EMAIL_PORT = 25\\
+ #EMAIL_HOST_USER = 'djangomail'
+ #EMAIL_HOST_PASSWORD = 'top-secret!'
+
+ # For multiple regions uncomment this configuration, and add (endpoint, title).
+ #AVAILABLE_REGIONS = [
+ # ('http://cluster1.example.com:5000/v2.0', 'cluster1'),
+ # ('http://cluster2.example.com:5000/v2.0', 'cluster2'),
+ #]
+
+ OPENSTACK_KEYSTONE_URL = "{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}"
+ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member"
+
+ # This setting specifies the name of the header with remote IP address. If not present,
+ # then REMOTE_ADDR header is used. The commom value for this setting is HTTP_X_REAL_IP
+ # or HTTP_X_FORWARDED_FORx
+ SECURE_PROXY_ADDR_HEADER = 'HTTP_X_FORWARDED_FOR'
+
+ {{- if .Values.conf.horizon.local_settings.config.auth.sso.enabled }}
+ # Enables keystone web single-sign-on if set to True.
+ WEBSSO_ENABLED = True
+
+ # Determines which authentication choice to show as default.
+ WEBSSO_INITIAL_CHOICE = "{{ .Values.conf.horizon.local_settings.config.auth.sso.initial_choice }}"
+
+ # The list of authentication mechanisms
+ # which include keystone federation protocols.
+ # Current supported protocol IDs are 'saml2' and 'oidc'
+ # which represent SAML 2.0, OpenID Connect respectively.
+ # Do not remove the mandatory credentials mechanism.
+ WEBSSO_CHOICES = (
+ ("credentials", _("Keystone Credentials")),
+ {{- range $i, $sso := .Values.conf.horizon.local_settings.config.auth.idp_mapping }}
+ ({{ $sso.name | quote }}, {{ $sso.label | quote }}),
+ {{- end }}
+ )
+
+ WEBSSO_IDP_MAPPING = {
+ {{- range $i, $sso := .Values.conf.horizon.local_settings.config.auth.idp_mapping }}
+ {{ $sso.name | quote}}: ({{ $sso.idp | quote }}, {{ $sso.protocol | quote }}),
+ {{- end }}
+ }
+
+ {{- end }}
+
+ # Disable SSL certificate checks (useful for self-signed certificates):
+ #OPENSTACK_SSL_NO_VERIFY = True
+
+ {{- if .Values.manifests.certificates }}
+ # The CA certificate to use to verify SSL connections
+ OPENSTACK_SSL_CACERT = '/etc/openstack-dashboard/certs/ca.crt'
+ {{- end }}
+
+ # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
+ # capabilities of the auth backend for Keystone.
+ # If Keystone has been configured to use LDAP as the auth backend then set
+ # can_edit_user to False and name to 'ldap'.
+ #
+ # TODO(tres): Remove these once Keystone has an API to identify auth backend.
+ OPENSTACK_KEYSTONE_BACKEND = {
+ 'name': 'native',
+ 'can_edit_user': True,
+ 'can_edit_group': True,
+ 'can_edit_project': True,
+ 'can_edit_domain': True,
+ 'can_edit_role': True,
+ }
+
+ # Setting this to True, will add a new "Retrieve Password" action on instance,
+ # allowing Admin session password retrieval/decryption.
+ OPENSTACK_ENABLE_PASSWORD_RETRIEVE = {{ .Values.conf.horizon.local_settings.config.openstack_enable_password_retrieve }}
+ # Controls whether the keystone openrc file is accessible from the user menu and the api access panel.
+ SHOW_OPENRC_FILE = {{ .Values.conf.horizon.local_settings.config.show_openrc_file }}
+ # The Launch Instance user experience has been significantly enhanced.
+ # You can choose whether to enable the new launch instance experience,
+ # the legacy experience, or both. The legacy experience will be removed
+ # in a future release, but is available as a temporary backup setting to ensure
+ # compatibility with existing deployments. Further development will not be
+ # done on the legacy experience. Please report any problems with the new
+ # experience via the StoryBoard tracking system.
+ #
+ # Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to
+ # determine the experience to enable. Set them both to true to enable
+ # both.
+ #LAUNCH_INSTANCE_LEGACY_ENABLED = True
+ #LAUNCH_INSTANCE_NG_ENABLED = False
+
+ # The Xen Hypervisor has the ability to set the mount point for volumes
+ # attached to instances (other Hypervisors currently do not). Setting
+ # can_set_mount_point to True will add the option to set the mount point
+ # from the UI.
+ OPENSTACK_HYPERVISOR_FEATURES = {
+ 'can_set_mount_point': False,
+ 'can_set_password': False,
+ }
+
+ # The OPENSTACK_CINDER_FEATURES settings can be used to enable optional
+ # services provided by cinder that is not exposed by its extension API.
+ OPENSTACK_CINDER_FEATURES = {
+ 'enable_backup': {{ .Values.conf.horizon.local_settings.config.openstack_cinder_features.enable_backup }},
+ }
+
+ # The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
+ # services provided by neutron. Options currently available are load
+ # balancer service, security groups, quotas, VPN service.
+ OPENSTACK_NEUTRON_NETWORK = {
+ 'enable_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_router }},
+ 'enable_quotas': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_quotas }},
+ 'enable_ipv6': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_ipv6 }},
+ 'enable_distributed_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_distributed_router }},
+ 'enable_ha_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_ha_router }},
+ 'enable_lb': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_lb }},
+ 'enable_firewall': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_firewall }},
+ 'enable_vpn': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_vpn }},
+ 'enable_fip_topology_check': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_fip_topology_check }},
+
+ # The profile_support option is used to detect if an external router can be
+ # configured via the dashboard. When using specific plugins the
+ # profile_support can be turned on if needed.
+ 'profile_support': None,
+ #'profile_support': 'cisco',
+
+ # Set which provider network types are supported. Only the network types
+ # in this list will be available to choose from when creating a network.
+ # Network types include local, flat, vlan, gre, and vxlan.
+ 'supported_provider_types': ['*'],
+
+ # Set which VNIC types are supported for port binding. Only the VNIC
+ # types in this list will be available to choose from when creating a
+ # port.
+ # VNIC types include 'normal', 'macvtap' and 'direct'.
+ 'supported_vnic_types': ['*']
+ }
+
+ # The OPENSTACK_IMAGE_BACKEND settings can be used to customize features
+ # in the OpenStack Dashboard related to the Image service, such as the list
+ # of supported image formats.
+ #OPENSTACK_IMAGE_BACKEND = {
+ # 'image_formats': [
+ # ('', _('Select format')),
+ # ('aki', _('AKI - Amazon Kernel Image')),
+ # ('ami', _('AMI - Amazon Machine Image')),
+ # ('ari', _('ARI - Amazon Ramdisk Image')),
+ # ('docker', _('Docker')),
+ # ('iso', _('ISO - Optical Disk Image')),
+ # ('ova', _('OVA - Open Virtual Appliance')),
+ # ('qcow2', _('QCOW2 - QEMU Emulator')),
+ # ('raw', _('Raw')),
+ # ('vdi', _('VDI - Virtual Disk Image')),
+ # ('vhd', ('VHD - Virtual Hard Disk')),
+ # ('vmdk', _('VMDK - Virtual Machine Disk')),
+ # ]
+ #}
+
+ # The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for
+ # image custom property attributes that appear on image detail pages.
+ IMAGE_CUSTOM_PROPERTY_TITLES = {
+ "architecture": _("Architecture"),
+ "kernel_id": _("Kernel ID"),
+ "ramdisk_id": _("Ramdisk ID"),
+ "image_state": _("Euca2ools state"),
+ "project_id": _("Project ID"),
+ "image_type": _("Image Type"),
+ }
+
+ # The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image
+ # custom properties should not be displayed in the Image Custom Properties
+ # table.
+ IMAGE_RESERVED_CUSTOM_PROPERTIES = []
+
+ # Set to 'legacy' or 'direct' to allow users to upload images to glance via
+ # Horizon server. When enabled, a file form field will appear on the create
+ # image form. If set to 'off', there will be no file form field on the create
+ # image form. See documentation for deployment considerations.
+ HORIZON_IMAGES_UPLOAD_MODE = '{{ .Values.conf.horizon.local_settings.config.horizon_images_upload_mode }}'
+
+ # OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints
+ # in the Keystone service catalog. Use this setting when Horizon is running
+ # external to the OpenStack environment. The default is 'publicURL'.
+ OPENSTACK_ENDPOINT_TYPE = "{{ .Values.conf.horizon.local_settings.config.endpoint_type }}"
+
+ # SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the
+ # case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints
+ # in the Keystone service catalog. Use this setting when Horizon is running
+ # external to the OpenStack environment. The default is None. This
+ # value should differ from OPENSTACK_ENDPOINT_TYPE if used.
+ SECONDARY_ENDPOINT_TYPE = "publicURL"
+
+ # The number of objects (Swift containers/objects or images) to display
+ # on a single page before providing a paging element (a "more" link)
+ # to paginate results.
+ API_RESULT_LIMIT = 1000
+ API_RESULT_PAGE_SIZE = 20
+
+ # The size of chunk in bytes for downloading objects from Swift
+ SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024
+
+ # Specify a maximum number of items to display in a dropdown.
+ DROPDOWN_MAX_ITEMS = 30
+
+ # The timezone of the server. This should correspond with the timezone
+ # of your entire OpenStack installation, and hopefully be in UTC.
+ TIME_ZONE = "UTC"
+
+ # When launching an instance, the menu of available flavors is
+ # sorted by RAM usage, ascending. If you would like a different sort order,
+ # you can provide another flavor attribute as sorting key. Alternatively, you
+ # can provide a custom callback method to use for sorting. You can also provide
+ # a flag for reverse sort. For more info, see
+ # http://docs.python.org/2/library/functions.html#sorted
+ #CREATE_INSTANCE_FLAVOR_SORT = {
+ # 'key': 'name',
+ # # or
+ # 'key': my_awesome_callback_method,
+ # 'reverse': False,
+ #}
+
+ # Set this to True to display an 'Admin Password' field on the Change Password
+ # form to verify that it is indeed the admin logged-in who wants to change
+ # the password.
+ ENFORCE_PASSWORD_CHECK = {{ .Values.conf.horizon.local_settings.config.enforce_password_check }}
+
+ # Modules that provide /auth routes that can be used to handle different types
+ # of user authentication. Add auth plugins that require extra route handling to
+ # this list.
+ #AUTHENTICATION_URLS = [
+ # 'openstack_auth.urls',
+ #]
+
+ # The Horizon Policy Enforcement engine uses these values to load per service
+ # policy rule files. The content of these files should match the files the
+ # OpenStack services are using to determine role based access control in the
+ # target installation.
+
+ # Path to directory containing policy.yaml files
+ POLICY_FILES_PATH = '/etc/openstack-dashboard'
+ # Map of local copy of service policy files
+ #POLICY_FILES = {
+ # 'identity': 'keystone_policy.yaml',
+ # 'compute': 'nova_policy.yaml',
+ # 'volume': 'cinder_policy.yaml',
+ # 'image': 'glance_policy.yaml',
+ # 'orchestration': 'heat_policy.yaml',
+ # 'network': 'neutron_policy.yaml',
+ # 'telemetry': 'ceilometer_policy.yaml',
+ #}
+
+ # Trove user and database extension support. By default support for
+ # creating users and databases on database instances is turned on.
+ # To disable these extensions set the permission here to something
+ # unusable such as ["!"].
+ # TROVE_ADD_USER_PERMS = []
+ # TROVE_ADD_DATABASE_PERMS = []
+
+ # Change this patch to the appropriate static directory containing
+ # two files: _variables.scss and _styles.scss
+ #CUSTOM_THEME_PATH = 'static/themes/default'
+
+ LOGGING = {
+ 'version': 1,
+ # When set to True this will disable all logging except
+ # for loggers specified in this configuration dictionary. Note that
+ # if nothing is specified here and disable_existing_loggers is True,
+ # django.db.backends will still log unless it is disabled explicitly.
+ 'disable_existing_loggers': False,
+ 'handlers': {
+ 'null': {
+ 'level': 'DEBUG',
+ 'class': 'logging.NullHandler',
+ },
+ 'console': {
+ # Set the level to "DEBUG" for verbose output logging.
+ 'level': 'INFO',
+ 'class': 'logging.StreamHandler',
+ },
+ },
+ 'loggers': {
+ # Logging from django.db.backends is VERY verbose, send to null
+ # by default.
+ 'django.db.backends': {
+ 'handlers': ['null'],
+ 'propagate': False,
+ },
+ 'requests': {
+ 'handlers': ['null'],
+ 'propagate': False,
+ },
+ 'horizon': {
+ 'handlers': ['console'],
+ 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+ 'propagate': False,
+ },
+ 'openstack_dashboard': {
+ 'handlers': ['console'],
+ 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+ 'propagate': False,
+ },
+ 'novaclient': {
+ 'handlers': ['console'],
+ 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+ 'propagate': False,
+ },
+ 'cinderclient': {
+ 'handlers': ['console'],
+ 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+ 'propagate': False,
+ },
+ 'glanceclient': {
+ 'handlers': ['console'],
+ 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+ 'propagate': False,
+ },
+ 'glanceclient': {
+ 'handlers': ['console'],
+ 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+ 'propagate': False,
+ },
+ 'neutronclient': {
+ 'handlers': ['console'],
+ 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+ 'propagate': False,
+ },
+ 'heatclient': {
+ 'handlers': ['console'],
+ 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+ 'propagate': False,
+ },
+ 'ceilometerclient': {
+ 'handlers': ['console'],
+ 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+ 'propagate': False,
+ },
+ 'troveclient': {
+ 'handlers': ['console'],
+ 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+ 'propagate': False,
+ },
+ 'swiftclient': {
+ 'handlers': ['console'],
+ 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+ 'propagate': False,
+ },
+ 'openstack_auth': {
+ 'handlers': ['console'],
+ 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+ 'propagate': False,
+ },
+ 'nose.plugins.manager': {
+ 'handlers': ['console'],
+ 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+ 'propagate': False,
+ },
+ 'django': {
+ 'handlers': ['console'],
+ 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
+ 'propagate': False,
+ },
+ 'iso8601': {
+ 'handlers': ['null'],
+ 'propagate': False,
+ },
+ 'scss': {
+ 'handlers': ['null'],
+ 'propagate': False,
+ },
+ }
+ }
+
+ # 'direction' should not be specified for all_tcp/udp/icmp.
+ # It is specified in the form.
+ SECURITY_GROUP_RULES = {
+ 'all_tcp': {
+ 'name': _('All TCP'),
+ 'ip_protocol': 'tcp',
+ 'from_port': '1',
+ 'to_port': '65535',
+ },
+ 'all_udp': {
+ 'name': _('All UDP'),
+ 'ip_protocol': 'udp',
+ 'from_port': '1',
+ 'to_port': '65535',
+ },
+ 'all_icmp': {
+ 'name': _('All ICMP'),
+ 'ip_protocol': 'icmp',
+ 'from_port': '-1',
+ 'to_port': '-1',
+ },
+ 'ssh': {
+ 'name': 'SSH',
+ 'ip_protocol': 'tcp',
+ 'from_port': '22',
+ 'to_port': '22',
+ },
+ 'smtp': {
+ 'name': 'SMTP',
+ 'ip_protocol': 'tcp',
+ 'from_port': '25',
+ 'to_port': '25',
+ },
+ 'dns': {
+ 'name': 'DNS',
+ 'ip_protocol': 'tcp',
+ 'from_port': '53',
+ 'to_port': '53',
+ },
+ 'http': {
+ 'name': 'HTTP',
+ 'ip_protocol': 'tcp',
+ 'from_port': '80',
+ 'to_port': '80',
+ },
+ 'pop3': {
+ 'name': 'POP3',
+ 'ip_protocol': 'tcp',
+ 'from_port': '110',
+ 'to_port': '110',
+ },
+ 'imap': {
+ 'name': 'IMAP',
+ 'ip_protocol': 'tcp',
+ 'from_port': '143',
+ 'to_port': '143',
+ },
+ 'ldap': {
+ 'name': 'LDAP',
+ 'ip_protocol': 'tcp',
+ 'from_port': '389',
+ 'to_port': '389',
+ },
+ 'https': {
+ 'name': 'HTTPS',
+ 'ip_protocol': 'tcp',
+ 'from_port': '443',
+ 'to_port': '443',
+ },
+ 'smtps': {
+ 'name': 'SMTPS',
+ 'ip_protocol': 'tcp',
+ 'from_port': '465',
+ 'to_port': '465',
+ },
+ 'imaps': {
+ 'name': 'IMAPS',
+ 'ip_protocol': 'tcp',
+ 'from_port': '993',
+ 'to_port': '993',
+ },
+ 'pop3s': {
+ 'name': 'POP3S',
+ 'ip_protocol': 'tcp',
+ 'from_port': '995',
+ 'to_port': '995',
+ },
+ 'ms_sql': {
+ 'name': 'MS SQL',
+ 'ip_protocol': 'tcp',
+ 'from_port': '1433',
+ 'to_port': '1433',
+ },
+ 'mysql': {
+ 'name': 'MYSQL',
+ 'ip_protocol': 'tcp',
+ 'from_port': '3306',
+ 'to_port': '3306',
+ },
+ 'rdp': {
+ 'name': 'RDP',
+ 'ip_protocol': 'tcp',
+ 'from_port': '3389',
+ 'to_port': '3389',
+ },
+ }
+
+ # Deprecation Notice:
+ #
+ # The setting FLAVOR_EXTRA_KEYS has been deprecated.
+ # Please load extra spec metadata into the Glance Metadata Definition Catalog.
+ #
+ # The sample quota definitions can be found in:
+ # <glance_source>/etc/metadefs/compute-quota.json
+ #
+ # The metadata definition catalog supports CLI and API:
+ # $glance --os-image-api-version 2 help md-namespace-import
+ # $glance-manage db_load_metadefs <directory_with_definition_files>
+ #
+ # See Metadata Definitions on: https://docs.openstack.org/glance/latest/
+
+ # Indicate to the Sahara data processing service whether or not
+ # automatic floating IP allocation is in effect. If it is not
+ # in effect, the user will be prompted to choose a floating IP
+ # pool for use in their cluster. False by default. You would want
+ # to set this to True if you were running Nova Networking with
+ # auto_assign_floating_ip = True.
+ #SAHARA_AUTO_IP_ALLOCATION_ENABLED = False
+
+ # The hash algorithm to use for authentication tokens. This must
+ # match the hash algorithm that the identity server and the
+ # auth_token middleware are using. Allowed values are the
+ # algorithms supported by Python's hashlib library.
+ #OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5'
+
+ # AngularJS requires some settings to be made available to
+ # the client side. Some settings are required by in-tree / built-in horizon
+ # features. These settings must be added to REST_API_REQUIRED_SETTINGS in the
+ # form of ['SETTING_1','SETTING_2'], etc.
+ #
+ # You may remove settings from this list for security purposes, but do so at
+ # the risk of breaking a built-in horizon feature. These settings are required
+ # for horizon to function properly. Only remove them if you know what you
+ # are doing. These settings may in the future be moved to be defined within
+ # the enabled panel configuration.
+ # You should not add settings to this list for out of tree extensions.
+ # See: https://wiki.openstack.org/wiki/Horizon/RESTAPI
+ REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
+ 'LAUNCH_INSTANCE_DEFAULTS',
+ 'OPENSTACK_IMAGE_FORMATS']
+
+ # Additional settings can be made available to the client side for
+ # extensibility by specifying them in REST_API_ADDITIONAL_SETTINGS
+ # !! Please use extreme caution as the settings are transferred via HTTP/S
+ # and are not encrypted on the browser. This is an experimental API and
+ # may be deprecated in the future without notice.
+ #REST_API_ADDITIONAL_SETTINGS = []
+
+ # DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
+ # within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
+ # Scripting (XFS) vulnerability, so this option allows extra security hardening
+ # where iframes are not used in deployment. Default setting is True.
+ # For more information see:
+ # http://tinyurl.com/anticlickjack
+ DISALLOW_IFRAME_EMBED = {{ .Values.conf.horizon.local_settings.config.disallow_iframe_embed }}
+
+ STATIC_ROOT = '/var/www/html/horizon'
+
+ {{- range $option, $value := .Values.conf.horizon.local_settings.config.raw }}
+ {{ $option }} = {{ toJson $value }}
+ {{- end }}
+ policy:
+ ceilometer:
+ context_is_admin: 'role:admin'
+ context_is_owner: 'user_id:%(target.user_id)s'
+ context_is_project: 'project_id:%(target.project_id)s'
+ segregation: 'rule:context_is_admin'
+ heat:
+ 'actions:action': 'rule:deny_stack_user'
+ 'build_info:build_info': 'rule:deny_stack_user'
+ 'cloudformation:CancelUpdateStack': 'rule:deny_stack_user'
+ 'cloudformation:CreateStack': 'rule:deny_stack_user'
+ 'cloudformation:DeleteStack': 'rule:deny_stack_user'
+ 'cloudformation:DescribeStackEvents': 'rule:deny_stack_user'
+ 'cloudformation:DescribeStackResource': ''
+ 'cloudformation:DescribeStackResources': 'rule:deny_stack_user'
+ 'cloudformation:DescribeStacks': 'rule:deny_stack_user'
+ 'cloudformation:EstimateTemplateCost': 'rule:deny_stack_user'
+ 'cloudformation:GetTemplate': 'rule:deny_stack_user'
+ 'cloudformation:ListStackResources': 'rule:deny_stack_user'
+ 'cloudformation:ListStacks': 'rule:deny_stack_user'
+ 'cloudformation:UpdateStack': 'rule:deny_stack_user'
+ 'cloudformation:ValidateTemplate': 'rule:deny_stack_user'
+ 'cloudwatch:DeleteAlarms': 'rule:deny_stack_user'
+ 'cloudwatch:DescribeAlarmHistory': 'rule:deny_stack_user'
+ 'cloudwatch:DescribeAlarms': 'rule:deny_stack_user'
+ 'cloudwatch:DescribeAlarmsForMetric': 'rule:deny_stack_user'
+ 'cloudwatch:DisableAlarmActions': 'rule:deny_stack_user'
+ 'cloudwatch:EnableAlarmActions': 'rule:deny_stack_user'
+ 'cloudwatch:GetMetricStatistics': 'rule:deny_stack_user'
+ 'cloudwatch:ListMetrics': 'rule:deny_stack_user'
+ 'cloudwatch:PutMetricAlarm': 'rule:deny_stack_user'
+ 'cloudwatch:PutMetricData': ''
+ 'cloudwatch:SetAlarmState': 'rule:deny_stack_user'
+ context_is_admin: 'role:admin'
+ deny_everybody: '!'
+ deny_stack_user: 'not role:heat_stack_user'
+ 'events:index': 'rule:deny_stack_user'
+ 'events:show': 'rule:deny_stack_user'
+ 'resource:index': 'rule:deny_stack_user'
+ 'resource:mark_unhealthy': 'rule:deny_stack_user'
+ 'resource:metadata': ''
+ 'resource:show': 'rule:deny_stack_user'
+ 'resource:signal': ''
+ 'resource_types:OS::Cinder::EncryptedVolumeType': 'rule:context_is_admin'
+ 'resource_types:OS::Cinder::VolumeType': 'rule:context_is_admin'
+ 'resource_types:OS::Manila::ShareType': 'rule:context_is_admin'
+ 'resource_types:OS::Neutron::QoSBandwidthLimitRule': 'rule:context_is_admin'
+ 'resource_types:OS::Neutron::QoSPolicy': 'rule:context_is_admin'
+ 'resource_types:OS::Nova::Flavor': 'rule:context_is_admin'
+ 'resource_types:OS::Nova::HostAggregate': 'rule:context_is_admin'
+ 'service:index': 'rule:context_is_admin'
+ 'software_configs:create': 'rule:deny_stack_user'
+ 'software_configs:delete': 'rule:deny_stack_user'
+ 'software_configs:global_index': 'rule:deny_everybody'
+ 'software_configs:index': 'rule:deny_stack_user'
+ 'software_configs:show': 'rule:deny_stack_user'
+ 'software_deployments:create': 'rule:deny_stack_user'
+ 'software_deployments:delete': 'rule:deny_stack_user'
+ 'software_deployments:index': 'rule:deny_stack_user'
+ 'software_deployments:metadata': ''
+ 'software_deployments:show': 'rule:deny_stack_user'
+ 'software_deployments:update': 'rule:deny_stack_user'
+ 'stacks:abandon': 'rule:deny_stack_user'
+ 'stacks:create': 'rule:deny_stack_user'
+ 'stacks:delete': 'rule:deny_stack_user'
+ 'stacks:delete_snapshot': 'rule:deny_stack_user'
+ 'stacks:detail': 'rule:deny_stack_user'
+ 'stacks:environment': 'rule:deny_stack_user'
+ 'stacks:export': 'rule:deny_stack_user'
+ 'stacks:generate_template': 'rule:deny_stack_user'
+ 'stacks:global_index': 'rule:deny_everybody'
+ 'stacks:index': 'rule:deny_stack_user'
+ 'stacks:list_outputs': 'rule:deny_stack_user'
+ 'stacks:list_resource_types': 'rule:deny_stack_user'
+ 'stacks:list_snapshots': 'rule:deny_stack_user'
+ 'stacks:list_template_functions': 'rule:deny_stack_user'
+ 'stacks:list_template_versions': 'rule:deny_stack_user'
+ 'stacks:lookup': ''
+ 'stacks:preview': 'rule:deny_stack_user'
+ 'stacks:preview_update': 'rule:deny_stack_user'
+ 'stacks:preview_update_patch': 'rule:deny_stack_user'
+ 'stacks:resource_schema': 'rule:deny_stack_user'
+ 'stacks:restore_snapshot': 'rule:deny_stack_user'
+ 'stacks:show': 'rule:deny_stack_user'
+ 'stacks:show_output': 'rule:deny_stack_user'
+ 'stacks:show_snapshot': 'rule:deny_stack_user'
+ 'stacks:snapshot': 'rule:deny_stack_user'
+ 'stacks:template': 'rule:deny_stack_user'
+ 'stacks:update': 'rule:deny_stack_user'
+ 'stacks:update_patch': 'rule:deny_stack_user'
+ 'stacks:validate_template': 'rule:deny_stack_user'
+ # list of panels to enable for horizon
+ # this requires that the panels are already installed in the horizon image, if they are not
+ # nothing will be added
+ # the name of the panel should be the name of the dir where the panel is installed
+ # for example heat_dashboard, cloudkittydashboard or neutron_taas_dashboard
+ extra_panels:
+ - heat_dashboard
+ - neutron_taas_dashboard
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - horizon-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ dashboard:
+ jobs:
+ - horizon-db-sync
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ db_drop:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_init:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_sync:
+ jobs:
+ - horizon-db-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+ tests:
+ services:
+ - endpoint: internal
+ service: dashboard
+
+pod:
+ security_context:
+ horizon:
+ pod:
+ runAsUser: 42424
+ container:
+ horizon:
+ readOnlyRootFilesystem: false
+ allowPrivilegeEscalation: false
+ runAsUser: 0
+ db_sync:
+ pod:
+ runAsUser: 42424
+ container:
+ horizon_db_sync:
+ readOnlyRootFilesystem: false
+ allowPrivilegeEscalation: false
+ runAsUser: 0
+ test:
+ pod:
+ runAsUser: 42424
+ container:
+ horizon_test:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ weight:
+ default: 10
+ tolerations:
+ horizon:
+ enabled: false
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ effect: NoSchedule
+ mounts:
+ horizon_db_init:
+ init_container: null
+ horizon_db_init:
+ volumeMounts:
+ volumes:
+ horizon_db_sync:
+ init_container: null
+ horizon_db_sync:
+ volumeMounts:
+ volumes:
+ horizon:
+ init_container: null
+ horizon:
+ volumeMounts:
+ volumes:
+ horizon_tests:
+ init_container: null
+ horizon_tests:
+ volumeMounts:
+ volumes:
+ replicas:
+ server: 1
+ lifecycle:
+ upgrades:
+ deployments:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+ disruption_budget:
+ horizon:
+ min_available: 0
+ termination_grace_period:
+ horizon:
+ timeout: 30
+ resources:
+ enabled: false
+ server:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ db_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_drop:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ tests:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: horizon-keystone-admin
+ oslo_db:
+ admin: horizon-db-admin
+ horizon: horizon-db-user
+ tls:
+ dashboard:
+ dashboard:
+ public: horizon-tls-public
+ internal: horizon-tls-web
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ identity:
+ name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ hosts:
+ default: keystone
+ internal: keystone-api
+ host_fqdn_override:
+ default: null
+ path:
+ default: /v3
+ scheme:
+ default: http
+ port:
+ api:
+ default: 80
+ internal: 5000
+ oslo_cache:
+ hosts:
+ default: memcached
+ host_fqdn_override:
+ default: null
+ port:
+ memcache:
+ default: 11211
+ dashboard:
+ name: horizon
+ hosts:
+ default: horizon-int
+ public: horizon
+ host_fqdn_override:
+ default: null
+ # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+ # endpoints using the following format:
+ # public:
+ # host: null
+ # tls:
+ # crt: null
+ # key: null
+ path:
+ default: null
+ scheme:
+ default: http
+ port:
+ web:
+ default: 80
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ secret:
+ tls:
+ internal: mariadb-tls-direct
+ horizon:
+ username: horizon
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /horizon
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+ # They are using to enable the Egress K8s network policy.
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns:
+ default: 53
+ protocol: UDP
+ ingress:
+ namespace: null
+ name: ingress
+ hosts:
+ default: ingress
+ port:
+ ingress:
+ default: 80
+
+network_policy:
+ horizon:
+ ingress:
+ - {}
+ egress:
+ - {}
+
+# NOTE(helm_hook): helm_hook might break for helm2 binary.
+# set helm3_hook: false when using the helm2 binary.
+helm3_hook: true
+
+manifests:
+ certificates: false
+ configmap_bin: true
+ configmap_etc: true
+ configmap_logo: false
+ deployment: true
+ ingress_api: true
+ job_db_init: true
+ job_db_sync: true
+ job_db_drop: false
+ job_image_repo_sync: true
+ pdb: true
+ pod_helm_test: true
+ network_policy: false
+ secret_db: true
+ secret_ingress_tls: true
+ secret_keystone: true
+ service_ingress: true
+ service: true
+...
diff --git a/charts/keystone/.helmignore b/charts/keystone/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/keystone/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/keystone/Chart.yaml b/charts/keystone/Chart.yaml
new file mode 100644
index 0000000..8d5fadc
--- /dev/null
+++ b/charts/keystone/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Keystone
+home: https://docs.openstack.org/keystone/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: keystone
+sources:
+- https://opendev.org/openstack/keystone
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.19
diff --git a/charts/keystone/charts/helm-toolkit/Chart.yaml b/charts/keystone/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..ffa1cdc
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.36
diff --git a/charts/keystone/charts/helm-toolkit/requirements.yaml b/charts/keystone/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/keystone/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..c1693aa
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/keystone/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..db12915
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,540 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+local A_FILE="$1"
+local A_DATE=""
+if [[ -z ${BACK_UP_MODE} ]]; then
+ A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 4 | tr -d "Z")
+else
+ A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 5 | tr -d "Z")
+fi
+echo ${A_DATE}
+}
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ SECONDS_TO_KEEP=$((${LOCAL_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+ ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+ if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -rf $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+ ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f fd ]]; then
+ rm -f fd
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ create_hash_table $(cat $DB_BACKUP_FILES)
+ remove_old_remote_archives
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..c2de3aa
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f 8
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..4cc898d
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/keystone/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/keystone/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_template.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/keystone/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/charts/helm-toolkit/values.yaml b/charts/keystone/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/keystone/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/keystone/requirements.lock b/charts/keystone/requirements.lock
new file mode 100644
index 0000000..6d50cc5
--- /dev/null
+++ b/charts/keystone/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: 0.2.36
+digest: sha256:7815f273587bf686278d58f0c6e9c86c37f220ef3f3c1e83edc478613082fef4
+generated: "2022-03-24T05:04:09.692437746Z"
diff --git a/charts/keystone/requirements.yaml b/charts/keystone/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/keystone/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: ">= 0.1.0"
diff --git a/charts/keystone/templates/bin/_bootstrap.sh.tpl b/charts/keystone/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..c325824
--- /dev/null
+++ b/charts/keystone/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/keystone/templates/bin/_cred-clean.py.tpl b/charts/keystone/templates/bin/_cred-clean.py.tpl
new file mode 100644
index 0000000..e01c3fc
--- /dev/null
+++ b/charts/keystone/templates/bin/_cred-clean.py.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+#!/usr/bin/python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter(
+ '%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical(
+ 'environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical(
+ "Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical(
+ 'Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':',
+ root_password, '@', host, ':', str(port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete all entries from credential table
+
+try:
+ cmd = "DELETE FROM credential"
+ user_engine.execute(cmd)
+ logger.info('Deleted all entries in credential table')
+except:
+ logger.critical('Failed to clean up credential table in keystone db')
+ raise
+
+logger.info('Finished DB Management')
diff --git a/charts/keystone/templates/bin/_db-sync.sh.tpl b/charts/keystone/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..3c26488
--- /dev/null
+++ b/charts/keystone/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+keystone-manage --config-file=/etc/keystone/keystone.conf db_sync
+keystone-manage --config-file=/etc/keystone/keystone.conf bootstrap \
+ --bootstrap-username ${OS_USERNAME} \
+ --bootstrap-password ${OS_PASSWORD} \
+ --bootstrap-project-name ${OS_PROJECT_NAME} \
+ --bootstrap-admin-url ${OS_BOOTSTRAP_ADMIN_URL} \
+ --bootstrap-public-url ${OS_BOOTSTRAP_PUBLIC_URL} \
+ --bootstrap-internal-url ${OS_BOOTSTRAP_INTERNAL_URL} \
+ --bootstrap-region-id ${OS_REGION_NAME}
+
+exec python /tmp/endpoint-update.py
diff --git a/charts/keystone/templates/bin/_domain-manage-init.sh.tpl b/charts/keystone/templates/bin/_domain-manage-init.sh.tpl
new file mode 100644
index 0000000..8ede300
--- /dev/null
+++ b/charts/keystone/templates/bin/_domain-manage-init.sh.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{- range $k, $v := .Values.conf.ks_domains }}
+openstack --debug domain create --or-show {{ $k }}
+{{- end }}
diff --git a/charts/keystone/templates/bin/_domain-manage.py.tpl b/charts/keystone/templates/bin/_domain-manage.py.tpl
new file mode 100644
index 0000000..7e19e2e
--- /dev/null
+++ b/charts/keystone/templates/bin/_domain-manage.py.tpl
@@ -0,0 +1,59 @@
+#!/usr/bin/python
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+import json
+import os
+import requests
+import sys
+
+def main(args):
+ base_url, token, domainId, filename = args[1], args[2], args[3], args[5]
+ url = "%s/domains/%s/config" % (base_url, domainId)
+ print("Connecting to url: %r" % url)
+
+ headers = {
+ 'Content-Type': "application/json",
+ 'X-Auth-Token': token,
+ 'Cache-Control': "no-cache"
+ }
+
+ verify = os.getenv('OS_CACERT', True)
+
+ response = requests.request("GET", url, headers=headers, verify=verify)
+
+ if response.status_code == 404:
+ print("domain config not found - put")
+ action = "PUT"
+ else:
+ print("domain config found - patch")
+ action = "PATCH"
+
+ with open(filename, "rb") as f:
+ data = {"config": json.load(f)}
+
+ response = requests.request(action, url,
+ data=json.dumps(data),
+ headers=headers, verify=verify)
+
+ print("Response code on action [%s]: %s" % (action, response.status_code))
+ # Put and Patch can return 200 or 201. If it is not a 2XX code, error out.
+ if (response.status_code // 100) != 2:
+ sys.exit(1)
+
+
+if __name__ == "__main__":
+ if len(sys.argv) != 6:
+ sys.exit(1)
+ main(sys.argv)
diff --git a/charts/keystone/templates/bin/_domain-manage.sh.tpl b/charts/keystone/templates/bin/_domain-manage.sh.tpl
new file mode 100644
index 0000000..a697f11
--- /dev/null
+++ b/charts/keystone/templates/bin/_domain-manage.sh.tpl
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -e
+endpt={{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+path={{ .Values.conf.keystone.identity.domain_config_dir | default "/etc/keystone/domains" }}
+
+{{- range $k, $v := .Values.conf.ks_domains }}
+
+filename=${path}/keystone.{{ $k }}.json
+python /tmp/domain-manage.py \
+ $endpt \
+ $(openstack token issue -f value -c id) \
+ $(openstack domain show {{ $k }} -f value -c id) \
+ {{ $k }} $filename
+
+{{- end }}
diff --git a/charts/keystone/templates/bin/_endpoint-update.py.tpl b/charts/keystone/templates/bin/_endpoint-update.py.tpl
new file mode 100644
index 0000000..bb4d7b9
--- /dev/null
+++ b/charts/keystone/templates/bin/_endpoint-update.py.tpl
@@ -0,0 +1,113 @@
+#!/usr/bin/env python
+import os
+import logging
+import sys
+
+from sqlalchemy import create_engine
+
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm Keystone Endpoint management')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter(
+ '%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical(
+ 'environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical(
+ "Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical(
+ 'Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn)
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Set Internal Endpoint
+try:
+ endpoint_url = os.environ['OS_BOOTSTRAP_INTERNAL_URL']
+ cmd = ("update endpoint set url = %s where interface ='internal' and "
+ "service_id = (select id from service where "
+ "service.type = 'identity')")
+ user_engine.execute(cmd, (endpoint_url,))
+except:
+ logger.critical("Could not update internal endpoint")
+ raise
+
+# Set Admin Endpoint
+try:
+ endpoint_url = os.environ['OS_BOOTSTRAP_ADMIN_URL']
+ cmd = ("update endpoint set url = %s where interface ='admin' "
+ "and service_id = (select id from service where "
+ "service.type = 'identity')")
+ user_engine.execute(cmd, (endpoint_url,))
+except:
+ logger.critical("Could not update admin endpoint")
+ raise
+
+# Set Public Endpoint
+try:
+ endpoint_url = os.environ['OS_BOOTSTRAP_PUBLIC_URL']
+ cmd = ("update endpoint set url = %s where interface ='public' "
+ "and service_id = (select id from service where "
+ "service.type = 'identity')")
+ user_engine.execute(cmd, (endpoint_url,))
+except:
+ logger.critical("Could not update public endpoint")
+ raise
+
+# Print endpoints
+try:
+ endpoints = user_engine.execute(
+ ("select interface, url from endpoint where service_id = "
+ "(select id from service where service.type = 'identity')")
+ ).fetchall()
+ for row in endpoints:
+ logger.info("endpoint ({0}): {1}".format(row[0], row[1]))
+except:
+ logger.critical("Could not update endpoint")
+ raise
+
+logger.info('Finished Endpoint Management')
diff --git a/charts/keystone/templates/bin/_fernet-manage.py.tpl b/charts/keystone/templates/bin/_fernet-manage.py.tpl
new file mode 100644
index 0000000..804d769
--- /dev/null
+++ b/charts/keystone/templates/bin/_fernet-manage.py.tpl
@@ -0,0 +1,186 @@
+#!/usr/bin/env python
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+import argparse
+import base64
+import errno
+import grp
+import logging
+import os
+import pwd
+import re
+import six
+import subprocess #nosec
+import sys
+import time
+
+import requests
+
+FERNET_DIR = os.environ['KEYSTONE_KEYS_REPOSITORY']
+KEYSTONE_USER = os.environ['KEYSTONE_USER']
+KEYSTONE_GROUP = os.environ['KEYSTONE_GROUP']
+NAMESPACE = os.environ['KUBERNETES_NAMESPACE']
+
+# k8s connection data
+KUBE_HOST = None
+KUBE_CERT = '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
+KUBE_TOKEN = None
+
+LOG_DATEFMT = "%Y-%m-%d %H:%M:%S"
+LOG_FORMAT = "%(asctime)s.%(msecs)03d - %(levelname)s - %(message)s"
+logging.basicConfig(format=LOG_FORMAT, datefmt=LOG_DATEFMT)
+LOG = logging.getLogger(__name__)
+LOG.setLevel(logging.INFO)
+
+
+def read_kube_config():
+ global KUBE_HOST, KUBE_TOKEN
+ KUBE_HOST = "https://%s:%s" % ('kubernetes.default',
+ os.environ['KUBERNETES_SERVICE_PORT'])
+ with open('/var/run/secrets/kubernetes.io/serviceaccount/token', 'r') as f:
+ KUBE_TOKEN = f.read()
+
+
+def get_secret_definition(name):
+ url = '%s/api/v1/namespaces/%s/secrets/%s' % (KUBE_HOST, NAMESPACE, name)
+ resp = requests.get(url,
+ headers={'Authorization': 'Bearer %s' % KUBE_TOKEN},
+ verify=KUBE_CERT)
+ if resp.status_code != 200:
+ LOG.error('Cannot get secret %s.', name)
+ LOG.error(resp.text)
+ return None
+ return resp.json()
+
+
+def update_secret(name, secret):
+ url = '%s/api/v1/namespaces/%s/secrets/%s' % (KUBE_HOST, NAMESPACE, name)
+ resp = requests.put(url,
+ json=secret,
+ headers={'Authorization': 'Bearer %s' % KUBE_TOKEN},
+ verify=KUBE_CERT)
+ if resp.status_code != 200:
+ LOG.error('Cannot update secret %s.', name)
+ LOG.error(resp.text)
+ return False
+ return True
+
+
+def read_from_files():
+ keys = [name for name in os.listdir(FERNET_DIR) if os.path.isfile(FERNET_DIR + name)
+ and re.match("^\d+$", name)]
+ data = {}
+ for key in keys:
+ with open(FERNET_DIR + key, 'r') as f:
+ data[key] = f.read()
+ if len(list(keys)):
+ LOG.debug("Keys read from files: %s", keys)
+ else:
+ LOG.warn("No keys were read from files.")
+ return data
+
+
+def get_keys_data():
+ keys = read_from_files()
+ return dict([(key, base64.b64encode(value.encode()).decode())
+ for (key, value) in six.iteritems(keys)])
+
+
+def write_to_files(data):
+ if not os.path.exists(os.path.dirname(FERNET_DIR)):
+ try:
+ os.makedirs(os.path.dirname(FERNET_DIR))
+ except OSError as exc: # Guard against race condition
+ if exc.errno != errno.EEXIST:
+ raise
+ uid = pwd.getpwnam(KEYSTONE_USER).pw_uid
+ gid = grp.getgrnam(KEYSTONE_GROUP).gr_gid
+ os.chown(FERNET_DIR, uid, gid)
+
+ for (key, value) in six.iteritems(data):
+ with open(FERNET_DIR + key, 'w') as f:
+ decoded_value = base64.b64decode(value).decode()
+ f.write(decoded_value)
+ LOG.debug("Key %s: %s", key, decoded_value)
+ LOG.info("%s keys were written", len(data))
+
+
+def execute_command(cmd):
+ LOG.info("Executing 'keystone-manage %s --keystone-user=%s "
+ "--keystone-group=%s' command.",
+ cmd, KEYSTONE_USER, KEYSTONE_GROUP)
+ subprocess.call(['keystone-manage', cmd, #nosec
+ '--keystone-user=%s' % KEYSTONE_USER,
+ '--keystone-group=%s' % KEYSTONE_GROUP])
+
+def main():
+ parser = argparse.ArgumentParser()
+ parser.add_argument('command', choices=['fernet_setup', 'fernet_rotate',
+ 'credential_setup',
+ 'credential_rotate'])
+ args = parser.parse_args()
+
+ is_credential = args.command.startswith('credential')
+
+ SECRET_NAME = ('keystone-credential-keys' if is_credential else
+ 'keystone-fernet-keys')
+
+ read_kube_config()
+ secret = get_secret_definition(SECRET_NAME)
+ if not secret:
+ LOG.error("Secret '%s' does not exist.", SECRET_NAME)
+ sys.exit(1)
+
+ if args.command in ('fernet_rotate', 'credential_rotate'):
+ LOG.info("Copying existing %s keys from secret '%s' to %s.",
+ 'credential' if is_credential else 'fernet', SECRET_NAME,
+ FERNET_DIR)
+ write_to_files(secret['data'])
+
+ if args.command in ('credential_setup', 'fernet_setup'):
+ if secret.get('data', False):
+ LOG.info('Keys already exist, skipping setup...')
+ sys.exit(0)
+
+ execute_command(args.command)
+
+ LOG.info("Updating data for '%s' secret.", SECRET_NAME)
+ updated_keys = get_keys_data()
+ secret['data'] = updated_keys
+ if not update_secret(SECRET_NAME, secret):
+ sys.exit(1)
+ LOG.info("%s fernet keys have been placed to secret '%s'",
+ len(updated_keys), SECRET_NAME)
+ LOG.debug("Placed keys: %s", updated_keys)
+ LOG.info("%s keys %s has been completed",
+ "Credential" if is_credential else 'Fernet',
+ "rotation" if args.command.endswith('_rotate') else "generation")
+
+ if args.command == 'credential_rotate':
+ # `credential_rotate` needs doing `credential_migrate` as well once all
+ # of the nodes have the new keys. So we'll sleep configurable amount of
+ # time to make sure k8s reloads the secrets in all pods and then
+ # execute `credential_migrate`.
+
+ migrate_wait = int(os.getenv('KEYSTONE_CREDENTIAL_MIGRATE_WAIT', "60"))
+ LOG.info("Waiting %d seconds to execute `credential_migrate`.",
+ migrate_wait)
+ time.sleep(migrate_wait)
+
+ execute_command('credential_migrate')
+
+if __name__ == "__main__":
+ main()
diff --git a/charts/keystone/templates/bin/_keystone-api.sh.tpl b/charts/keystone/templates/bin/_keystone-api.sh.tpl
new file mode 100644
index 0000000..d735067
--- /dev/null
+++ b/charts/keystone/templates/bin/_keystone-api.sh.tpl
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+COMMAND="${@:-start}"
+
+function start () {
+
+ for KEYSTONE_WSGI_SCRIPT in keystone-wsgi-public; do
+ cp -a $(type -p ${KEYSTONE_WSGI_SCRIPT}) /var/www/cgi-bin/keystone/
+ done
+
+ {{- if .Values.conf.software.apache2.a2enmod }}
+ {{- range .Values.conf.software.apache2.a2enmod }}
+ a2enmod {{ . }}
+ {{- end }}
+ {{- end }}
+
+ {{- if .Values.conf.software.apache2.a2dismod }}
+ {{- range .Values.conf.software.apache2.a2dismod }}
+ a2dismod {{ . }}
+ {{- end }}
+ {{- end }}
+
+ if [ -f /etc/apache2/envvars ]; then
+ # Loading Apache2 ENV variables
+ source /etc/apache2/envvars
+ fi
+
+ if [ -f /var/run/apache2/apache2.pid ]; then
+ # Remove the stale pid for debian/ubuntu images
+ rm -f /var/run/apache2/apache2.pid
+ fi
+
+ # Start Apache2
+ exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+}
+
+function stop () {
+ if [ -f /etc/apache2/envvars ]; then
+ # Loading Apache2 ENV variables
+ source /etc/apache2/envvars
+ fi
+ {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+}
+
+$COMMAND
diff --git a/charts/keystone/templates/certificates.yaml b/charts/keystone/templates/certificates.yaml
new file mode 100644
index 0000000..f8a73c4
--- /dev/null
+++ b/charts/keystone/templates/certificates.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}}
+{{ dict "envAll" . "service" "identity" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/charts/keystone/templates/configmap-bin.yaml b/charts/keystone/templates/configmap-bin.yaml
new file mode 100644
index 0000000..45512d3
--- /dev/null
+++ b/charts/keystone/templates/configmap-bin.yaml
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: keystone-bin
+data:
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+ bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+ rally-test.sh: |
+{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+ ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+ cred-clean.py: |
+{{ tuple "bin/_cred-clean.py.tpl" . | include "helm-toolkit.utils.template" |indent 4}}
+ db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+ db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+ keystone-api.sh: |
+{{ tuple "bin/_keystone-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ endpoint-update.py: |
+{{ tuple "bin/_endpoint-update.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ fernet-manage.py: |
+{{ tuple "bin/_fernet-manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ domain-manage-init.sh: |
+{{ tuple "bin/_domain-manage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ domain-manage.sh: |
+{{ tuple "bin/_domain-manage.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ domain-manage.py: |
+{{ tuple "bin/_domain-manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+{{- end }}
diff --git a/charts/keystone/templates/configmap-etc.yaml b/charts/keystone/templates/configmap-etc.yaml
new file mode 100644
index 0000000..4b7f046
--- /dev/null
+++ b/charts/keystone/templates/configmap-etc.yaml
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.keystone.database.connection -}}
+{{- $connection := tuple "oslo_db" "internal" "keystone" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.keystone.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.keystone.database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.keystone.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "keystone" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.keystone.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.keystone.cache.memcache_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.keystone.cache "memcache_servers" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: keystone-etc
+type: Opaque
+data:
+ rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
+ keystone.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone | b64enc }}
+ logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.logging | b64enc }}
+ policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+ access_rules.json: {{ toJson .Values.conf.access_rules | b64enc }}
+ ports.conf: ''
+{{- range $k, $v := .Values.conf.ks_domains }}
+ keystone.{{ $k }}.json: {{ toJson $v | b64enc }}
+{{- end }}
+{{- if .Values.conf.security }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
+{{- end}}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_keystone "key" "wsgi-keystone.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.sso_callback_template "key" "sso_callback_template.html" "format" "Secret" ) | indent 2 }}
+{{- end }}
diff --git a/charts/keystone/templates/cron-job-credential-rotate.yaml b/charts/keystone/templates/cron-job-credential-rotate.yaml
new file mode 100644
index 0000000..fd26b23
--- /dev/null
+++ b/charts/keystone/templates/cron-job-credential-rotate.yaml
@@ -0,0 +1,132 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_credential_rotate }}
+{{- $envAll := . }}
+
+{{- $mounts_keystone_credential_rotate := .Values.pod.mounts.keystone_credential_rotate.keystone_credential_rotate }}
+{{- $mounts_keystone_credential_rotate_init := .Values.pod.mounts.keystone_credential_rotate.init_container }}
+
+{{- $serviceAccountName := "keystone-credential-rotate" }}
+{{ tuple $envAll "credential_rotate" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - create
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ name: keystone-credential-rotate
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ schedule: {{ .Values.jobs.credential_rotate.cron | quote }}
+ successfulJobsHistoryLimit: {{ .Values.jobs.credential_rotate.history.success }}
+ failedJobsHistoryLimit: {{ .Values.jobs.credential_rotate.history.failed }}
+ concurrencyPolicy: Forbid
+ jobTemplate:
+ metadata:
+ labels:
+{{ tuple $envAll "keystone" "credential-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "keystone" "credential-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ initContainers:
+{{ tuple $envAll "credential_rotate" $mounts_keystone_credential_rotate_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ containers:
+ - name: keystone-credential-rotate
+{{ tuple $envAll "keystone_credential_rotate" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.credential_rotate | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+ env:
+ - name: KEYSTONE_USER
+ value: {{ .Values.jobs.credential_rotate.user | quote }}
+ - name: KEYSTONE_GROUP
+ value: {{ .Values.jobs.credential_rotate.group | quote }}
+ - name: KUBERNETES_NAMESPACE
+ value: {{ .Release.Namespace | quote }}
+ - name: KEYSTONE_KEYS_REPOSITORY
+ value: {{ .Values.conf.keystone.credential.key_repository | quote }}
+ - name: KEYSTONE_CREDENTIAL_MIGRATE_WAIT
+ value: {{ .Values.jobs.credential_rotate.migrate_wait | quote }}
+ command:
+ - python
+ - /tmp/fernet-manage.py
+ - credential_rotate
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etckeystone
+ mountPath: /etc/keystone
+ - name: keystone-etc
+ mountPath: /etc/keystone/keystone.conf
+ subPath: keystone.conf
+ readOnly: true
+ {{- if .Values.conf.keystone.DEFAULT.log_config_append }}
+ - name: keystone-etc
+ mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: keystone-bin
+ mountPath: /tmp/fernet-manage.py
+ subPath: fernet-manage.py
+ readOnly: true
+{{ if $mounts_keystone_credential_rotate.volumeMounts }}{{ toYaml $mounts_keystone_credential_rotate.volumeMounts | indent 16 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: etckeystone
+ emptyDir: {}
+ - name: keystone-etc
+ secret:
+ secretName: keystone-etc
+ defaultMode: 0444
+ - name: keystone-bin
+ configMap:
+ name: keystone-bin
+ defaultMode: 0555
+{{ if $mounts_keystone_credential_rotate.volumes }}{{ toYaml $mounts_keystone_credential_rotate.volumes | indent 12 }}{{ end }}
+{{- end }}
diff --git a/charts/keystone/templates/cron-job-fernet-rotate.yaml b/charts/keystone/templates/cron-job-fernet-rotate.yaml
new file mode 100644
index 0000000..8f4f4f9
--- /dev/null
+++ b/charts/keystone/templates/cron-job-fernet-rotate.yaml
@@ -0,0 +1,134 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_fernet_rotate }}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+{{- $envAll := . }}
+
+{{- $mounts_keystone_fernet_rotate := .Values.pod.mounts.keystone_fernet_rotate.keystone_fernet_rotate }}
+{{- $mounts_keystone_fernet_rotate_init := .Values.pod.mounts.keystone_fernet_rotate.init_container }}
+
+{{- $serviceAccountName := "keystone-fernet-rotate" }}
+{{ tuple $envAll "fernet_rotate" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - create
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ name: keystone-fernet-rotate
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ schedule: {{ .Values.jobs.fernet_rotate.cron | quote }}
+ successfulJobsHistoryLimit: {{ .Values.jobs.fernet_rotate.history.success }}
+ failedJobsHistoryLimit: {{ .Values.jobs.fernet_rotate.history.failed }}
+ concurrencyPolicy: Forbid
+ jobTemplate:
+ metadata:
+ labels:
+{{ tuple $envAll "keystone" "fernet-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "keystone" "fernet-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "fernet_rotate" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
+ initContainers:
+{{ tuple $envAll "fernet_rotate" $mounts_keystone_fernet_rotate_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ containers:
+ - name: keystone-fernet-rotate
+{{ tuple $envAll "keystone_fernet_rotate" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.fernet_rotate | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{ dict "envAll" $envAll "application" "fernet_rotate" "container" "keystone_fernet_rotate" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14}}
+ env:
+ - name: KEYSTONE_USER
+ value: {{ .Values.jobs.fernet_rotate.user | quote }}
+ - name: KEYSTONE_GROUP
+ value: {{ .Values.jobs.fernet_rotate.group | quote }}
+ - name: KUBERNETES_NAMESPACE
+ value: {{ .Release.Namespace | quote }}
+ - name: KEYSTONE_KEYS_REPOSITORY
+ value: {{ .Values.conf.keystone.fernet_tokens.key_repository | quote }}
+ command:
+ - python
+ - /tmp/fernet-manage.py
+ - fernet_rotate
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etckeystone
+ mountPath: /etc/keystone
+ - name: keystone-etc
+ mountPath: /etc/keystone/keystone.conf
+ subPath: keystone.conf
+ readOnly: true
+ {{- if .Values.conf.keystone.DEFAULT.log_config_append }}
+ - name: keystone-etc
+ mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: keystone-bin
+ mountPath: /tmp/fernet-manage.py
+ subPath: fernet-manage.py
+ readOnly: true
+{{ if $mounts_keystone_fernet_rotate.volumeMounts }}{{ toYaml $mounts_keystone_fernet_rotate.volumeMounts | indent 16 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: etckeystone
+ emptyDir: {}
+ - name: keystone-etc
+ secret:
+ secretName: keystone-etc
+ defaultMode: 0444
+ - name: keystone-bin
+ configMap:
+ name: keystone-bin
+ defaultMode: 0555
+{{ if $mounts_keystone_fernet_rotate.volumes }}{{ toYaml $mounts_keystone_fernet_rotate.volumes | indent 12 }}{{ end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/templates/deployment-api.yaml b/charts/keystone/templates/deployment-api.yaml
new file mode 100644
index 0000000..f415493
--- /dev/null
+++ b/charts/keystone/templates/deployment-api.yaml
@@ -0,0 +1,202 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "apiProbeTemplate" }}
+httpGet:
+ scheme: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+ path: /v3/
+ port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_keystone_api := .Values.pod.mounts.keystone_api.keystone_api }}
+{{- $mounts_keystone_api_init := .Values.pod.mounts.keystone_api.init_container }}
+
+{{- $serviceAccountName := "keystone-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: keystone-api
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.api }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-api" "containerNames" (list "keystone-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "keystone" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "api" $mounts_keystone_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: keystone-api
+{{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "keystone" "container" "keystone_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/keystone-api.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/keystone-api.sh
+ - stop
+ ports:
+ - name: ks-pub
+ containerPort: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{ dict "envAll" $envAll "component" "api" "container" "api" "type" "readiness" "probeTemplate" (include "apiProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | trim | indent 10 }}
+{{ dict "envAll" $envAll "component" "api" "container" "api" "type" "liveness" "probeTemplate" (include "apiProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | trim | indent 10 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etckeystone
+ mountPath: /etc/keystone
+ - name: logs-apache
+ mountPath: /var/log/apache2
+ - name: run-apache
+ mountPath: /var/run/apache2
+ - name: wsgi-keystone
+ mountPath: /var/www/cgi-bin/keystone
+ - name: keystone-etc
+ mountPath: /etc/keystone/keystone.conf
+ subPath: keystone.conf
+ readOnly: true
+ - name: keystone-etc
+ mountPath: /etc/apache2/ports.conf
+ subPath: ports.conf
+ readOnly: true
+ {{- if .Values.conf.keystone.DEFAULT.log_config_append }}
+ - name: keystone-etc
+ mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: keystone-etc
+ mountPath: /etc/keystone/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: keystone-etc
+ mountPath: /etc/keystone/access_rules.json
+ subPath: access_rules.json
+ readOnly: true
+ - name: keystone-etc
+ mountPath: /etc/keystone/sso_callback_template.html
+ subPath: sso_callback_template.html
+ readOnly: true
+ - name: keystone-etc
+ mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-keystone.conf
+ subPath: wsgi-keystone.conf
+ readOnly: true
+ - name: keystone-etc
+ mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
+ subPath: mpm_event.conf
+ readOnly: true
+{{- if .Values.conf.security }}
+ - name: keystone-etc
+ mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
+ subPath: security.conf
+ readOnly: true
+{{- end }}
+ - name: keystone-bin
+ mountPath: /tmp/keystone-api.sh
+ subPath: keystone-api.sh
+ readOnly: true
+{{- if .Values.endpoints.ldap.auth.client.tls.ca }}
+ - name: keystone-ldap-tls
+ mountPath: /etc/keystone/ldap/tls.ca
+ subPath: tls.ca
+ readOnly: true
+{{- end }}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+ - name: keystone-fernet-keys
+ mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
+{{- end }}
+ - name: keystone-credential-keys
+ mountPath: {{ .Values.conf.keystone.credential.key_repository }}
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: etckeystone
+ emptyDir: {}
+ - name: wsgi-keystone
+ emptyDir: {}
+ - name: logs-apache
+ emptyDir: {}
+ - name: run-apache
+ emptyDir: {}
+ - name: keystone-etc
+ secret:
+ secretName: keystone-etc
+ defaultMode: 0444
+ - name: keystone-bin
+ configMap:
+ name: keystone-bin
+ defaultMode: 0555
+{{- if .Values.endpoints.ldap.auth.client.tls.ca }}
+ - name: keystone-ldap-tls
+ secret:
+ secretName: keystone-ldap-tls
+{{- end }}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+ - name: keystone-fernet-keys
+ secret:
+ secretName: keystone-fernet-keys
+{{- end }}
+ - name: keystone-credential-keys
+ secret:
+ secretName: keystone-credential-keys
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/keystone/templates/ingress-api.yaml b/charts/keystone/templates/ingress-api.yaml
new file mode 100644
index 0000000..7bdcee6
--- /dev/null
+++ b/charts/keystone/templates/ingress-api.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "identity" "backendPort" "ks-pub" -}}
+{{- $secretName := $envAll.Values.secrets.tls.identity.api.internal -}}
+{{- if and .Values.manifests.certificates $secretName -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.identity.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/keystone/templates/job-bootstrap.yaml b/charts/keystone/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..e908927
--- /dev/null
+++ b/charts/keystone/templates/job-bootstrap.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
+{{- end -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/keystone/templates/job-credential-cleanup.yaml b/charts/keystone/templates/job-credential-cleanup.yaml
new file mode 100644
index 0000000..854c5b6
--- /dev/null
+++ b/charts/keystone/templates/job-credential-cleanup.yaml
@@ -0,0 +1,123 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_credential_cleanup }}
+{{- $envAll := index . -}}
+
+{{- $serviceName := "keystone" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := "keystone-bin" -}}
+{{- $configMapEtc := "keystone-etc" -}}
+{{- $dbToClean := index . "dbToClean" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+
+{{ tuple $envAll "credential_cleanup" $serviceName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: "keystone-credential-cleanup"
+ labels:
+{{ tuple $envAll "keystone" "credential-cleanup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded, hook-failed
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "credential-cleanup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-credential-cleanup" "containerNames" (list "keystone-credential-cleanup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceName }}
+ restartPolicy: Never
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "credential_cleanup" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{ $dbToCleanType := default "oslo" $dbToClean.inputType }}
+ - name: {{ printf "%s-%s" $serviceName "credential-cleanup" | quote }}
+ image: {{ $envAll.Values.images.tags.keystone_credential_cleanup }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToClean.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToCleanType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToClean.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToClean.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToClean.configDbKey | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - python
+ - /tmp/cred-clean.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: cred-clean-sh
+ mountPath: /tmp/cred-clean.py
+ subPath: cred-clean.py
+ readOnly: true
+{{- if eq $dbToCleanType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToClean.configFile | quote }}
+ - name: cred-clean-conf
+ mountPath: {{ $dbToClean.configFile | quote }}
+ subPath: {{ base $dbToClean.configFile | quote }}
+ readOnly: true
+ - name: cred-clean-conf
+ mountPath: {{ $dbToClean.logConfigFile | quote }}
+ subPath: {{ base $dbToClean.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: cred-clean-sh
+ configMap:
+ name: "keystone-bin"
+ defaultMode: 0555
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- $dbToCleanType := default "oslo" $dbToClean.inputType }}
+{{- if and (eq $dbToCleanType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: cred-clean-conf
+ secret:
+ secretName: "keystone-etc"
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
diff --git a/charts/keystone/templates/job-credential-setup.yaml b/charts/keystone/templates/job-credential-setup.yaml
new file mode 100644
index 0000000..1d30eb1
--- /dev/null
+++ b/charts/keystone/templates/job-credential-setup.yaml
@@ -0,0 +1,139 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_credential_setup }}
+{{- $envAll := . }}
+
+{{- $mounts_keystone_credential_setup := .Values.pod.mounts.keystone_credential_setup.keystone_credential_setup }}
+{{- $mounts_keystone_credential_setup_init := .Values.pod.mounts.keystone_credential_setup.init_container }}
+
+{{- $serviceAccountName := "keystone-credential-setup" }}
+{{ tuple $envAll "credential_setup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - create
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: keystone-credential-setup
+ labels:
+{{ tuple $envAll "keystone" "credential-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+{{- if .Values.helm3_hook }}
+ "helm.sh/hook": post-install,post-upgrade
+ "helm.sh/hook-weight": "-5"
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "keystone" "credential-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-credential-setup" "containerNames" (list "keystone-credential-setup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "credential_setup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ initContainers:
+{{ tuple $envAll "credential_setup" $mounts_keystone_credential_setup_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ containers:
+ - name: keystone-credential-setup
+{{ tuple $envAll "keystone_credential_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.credential_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "credential_setup" "container" "keystone_credential_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: KEYSTONE_USER
+ value: {{ .Values.jobs.credential_setup.user | quote }}
+ - name: KEYSTONE_GROUP
+ value: {{ .Values.jobs.credential_setup.group | quote }}
+ - name: KUBERNETES_NAMESPACE
+ value: {{ .Release.Namespace | quote }}
+ - name: KEYSTONE_KEYS_REPOSITORY
+ value: {{ .Values.conf.keystone.credential.key_repository | quote }}
+ command:
+ - python
+ - /tmp/fernet-manage.py
+ - credential_setup
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etckeystone
+ mountPath: /etc/keystone
+ - name: credential-keys
+ mountPath: {{ .Values.conf.keystone.credential.key_repository | quote }}
+ - name: keystone-etc
+ mountPath: /etc/keystone/keystone.conf
+ subPath: keystone.conf
+ readOnly: true
+ {{- if .Values.conf.keystone.DEFAULT.log_config_append }}
+ - name: keystone-etc
+ mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: keystone-bin
+ mountPath: /tmp/fernet-manage.py
+ subPath: fernet-manage.py
+ readOnly: true
+{{ if $mounts_keystone_credential_setup.volumeMounts }}{{ toYaml $mounts_keystone_credential_setup.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: etckeystone
+ emptyDir: {}
+ - name: credential-keys
+ emptyDir: {}
+ - name: keystone-etc
+ secret:
+ secretName: keystone-etc
+ defaultMode: 0444
+ - name: keystone-bin
+ configMap:
+ name: keystone-bin
+ defaultMode: 0555
+{{ if $mounts_keystone_credential_setup.volumes }}{{ toYaml $mounts_keystone_credential_setup.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/keystone/templates/job-db-drop.yaml b/charts/keystone/templates/job-db-drop.yaml
new file mode 100644
index 0000000..512b8eb
--- /dev/null
+++ b/charts/keystone/templates/job-db-drop.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "keystone" -}}
+{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/keystone/templates/job-db-init.yaml b/charts/keystone/templates/job-db-init.yaml
new file mode 100644
index 0000000..53e9573
--- /dev/null
+++ b/charts/keystone/templates/job-db-init.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+{{- if .Values.helm3_hook -}}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end -}}
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}}
+{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/keystone/templates/job-db-sync.yaml b/charts/keystone/templates/job-db-sync.yaml
new file mode 100644
index 0000000..c3e7315
--- /dev/null
+++ b/charts/keystone/templates/job-db-sync.yaml
@@ -0,0 +1,83 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+{{- if .Values.helm3_hook -}}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end -}}
+{{- end }}
+
+{{- define "keystone.templates._job_db_sync.env_vars" -}}
+{{- $envAll := index . 0 -}}
+env:
+ - name: OS_BOOTSTRAP_ADMIN_URL
+ value: {{ tuple "identity" "admin" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+ - name: OS_BOOTSTRAP_INTERNAL_URL
+ value: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+ - name: OS_BOOTSTRAP_PUBLIC_URL
+ value: {{ tuple "identity" "public" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: "/etc/keystone/keystone.conf"
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: "database"
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: "connection"
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 2}}
+{{- end }}
+{{- end }}
+
+{{- define "keystone.templates._job_db_sync.pod_vol_mounts" -}}
+{{- $envAll := index . 0 -}}
+volumeMounts:
+ - name: db-sync-sh
+ mountPath: /tmp/endpoint-update.py
+ subPath: endpoint-update.py
+ readOnly: true
+ - name: keystone-fernet-keys
+ mountPath: {{ $envAll.Values.conf.keystone.fernet_tokens.key_repository }}
+ readOnly: true
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }}
+{{- end }}
+{{- end }}
+
+{{- define "keystone.templates._job_db_sync.pod_vols" -}}
+{{- $envAll := index . 0 -}}
+volumes:
+ - name: keystone-fernet-keys
+ secret:
+ secretName: keystone-fernet-keys
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $local := dict "podVolMounts" false "podVols" false -}}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+{{- $_ := set $local "podVolMounts" ( index ( tuple . | include "keystone.templates._job_db_sync.pod_vol_mounts" | toString | fromYaml ) "volumeMounts" ) }}
+{{- $_ := set $local "podVols" ( index ( tuple . | include "keystone.templates._job_db_sync.pod_vols" | toString | fromYaml ) "volumes" ) }}
+{{- end }}
+{{- $podEnvVars := tuple . | include "keystone.templates._job_db_sync.env_vars" | toString | fromYaml }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "keystone" "podVolMounts" $local.podVolMounts "podVols" $local.podVols "podEnvVars" $podEnvVars.env "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/keystone/templates/job-domain-manage.yaml b/charts/keystone/templates/job-domain-manage.yaml
new file mode 100644
index 0000000..5a1c8e2
--- /dev/null
+++ b/charts/keystone/templates/job-domain-manage.yaml
@@ -0,0 +1,150 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_domain_manage }}
+{{- $envAll := . }}
+
+{{- $mounts_keystone_domain_manage := .Values.pod.mounts.keystone_domain_manage.keystone_domain_manage }}
+{{- $mounts_keystone_domain_manage_init := .Values.pod.mounts.keystone_domain_manage.init_container }}
+
+{{- $serviceAccountName := "keystone-domain-manage" }}
+{{ tuple $envAll "domain_manage" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: keystone-domain-manage
+ labels:
+{{ tuple $envAll "keystone" "domain-manage" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ "helm.sh/hook": post-install,post-upgrade
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "keystone" "domain-manage" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-domain-manage" "containerNames" (list "keystone-domain-manage" "keystone-domain-manage-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "domain_manage" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "domain_manage" $mounts_keystone_domain_manage_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: keystone-domain-manage-init
+{{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ command:
+ - /tmp/domain-manage-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: keystone-bin
+ mountPath: /tmp/domain-manage-init.sh
+ subPath: domain-manage-init.sh
+ readOnly: true
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ containers:
+ - name: keystone-domain-manage
+{{ tuple $envAll "keystone_domain_manage" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ command:
+ - /tmp/domain-manage.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etckeystonedomains
+ mountPath: {{ .Values.conf.keystone.identity.domain_config_dir | default "/etc/keystone/domains" }}
+ - name: etckeystone
+ mountPath: /etc/keystone
+ - name: keystone-bin
+ mountPath: /tmp/domain-manage.sh
+ subPath: domain-manage.sh
+ readOnly: true
+ - name: keystone-bin
+ mountPath: /tmp/domain-manage.py
+ subPath: domain-manage.py
+ readOnly: true
+ - name: keystone-etc
+ mountPath: /etc/keystone/keystone.conf
+ subPath: keystone.conf
+ readOnly: true
+ {{- if .Values.conf.keystone.DEFAULT.log_config_append }}
+ - name: keystone-etc
+ mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+{{- range $k, $v := .Values.conf.ks_domains }}
+ - name: keystone-etc
+ mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystone/domains" }}/keystone.{{ $k }}.json
+ subPath: keystone.{{ $k }}.json
+ readOnly: true
+{{- end }}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+ - name: keystone-fernet-keys
+ mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
+{{- end }}
+ - name: keystone-credential-keys
+ mountPath: {{ .Values.conf.keystone.credential.key_repository }}
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{ if $mounts_keystone_domain_manage.volumeMounts }}{{ toYaml $mounts_keystone_domain_manage.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: etckeystone
+ emptyDir: {}
+ - name: etckeystonedomains
+ emptyDir: {}
+ - name: keystone-etc
+ secret:
+ secretName: keystone-etc
+ defaultMode: 0444
+ - name: keystone-bin
+ configMap:
+ name: keystone-bin
+ defaultMode: 0555
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+ - name: keystone-fernet-keys
+ secret:
+ secretName: keystone-fernet-keys
+{{- end }}
+ - name: keystone-credential-keys
+ secret:
+ secretName: keystone-credential-keys
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{ if $mounts_keystone_domain_manage.volumes }}{{ toYaml $mounts_keystone_domain_manage.volumes | indent 9 }}{{ end }}
+{{- end }}
diff --git a/charts/keystone/templates/job-fernet-setup.yaml b/charts/keystone/templates/job-fernet-setup.yaml
new file mode 100644
index 0000000..786772d
--- /dev/null
+++ b/charts/keystone/templates/job-fernet-setup.yaml
@@ -0,0 +1,140 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_fernet_setup }}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+{{- $envAll := . }}
+
+{{- $mounts_keystone_fernet_setup := .Values.pod.mounts.keystone_fernet_setup.keystone_fernet_setup }}
+{{- $mounts_keystone_fernet_setup_init := .Values.pod.mounts.keystone_fernet_setup.init_container }}
+
+{{- $serviceAccountName := "keystone-fernet-setup" }}
+{{ tuple $envAll "fernet_setup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - create
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: keystone-fernet-setup
+ labels:
+{{ tuple $envAll "keystone" "fernet-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if .Values.helm3_hook }}
+ annotations:
+ "helm.sh/hook": post-install,post-upgrade
+ "helm.sh/hook-weight": "-5"
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "keystone" "fernet-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "keystone-fernet-setup" "containerNames" (list "keystone-fernet-setup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "fernet_setup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ initContainers:
+{{ tuple $envAll "fernet_setup" $mounts_keystone_fernet_setup_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ containers:
+ - name: keystone-fernet-setup
+{{ tuple $envAll "keystone_fernet_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.fernet_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "fernet_setup" "container" "keystone_fernet_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: KEYSTONE_USER
+ value: {{ .Values.jobs.fernet_setup.user | quote }}
+ - name: KEYSTONE_GROUP
+ value: {{ .Values.jobs.fernet_setup.group | quote }}
+ - name: KUBERNETES_NAMESPACE
+ value: {{ .Release.Namespace | quote }}
+ - name: KEYSTONE_KEYS_REPOSITORY
+ value: {{ .Values.conf.keystone.fernet_tokens.key_repository | quote }}
+ command:
+ - python
+ - /tmp/fernet-manage.py
+ - fernet_setup
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etckeystone
+ mountPath: /etc/keystone
+ - name: fernet-keys
+ mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository | quote }}
+ - name: keystone-etc
+ mountPath: /etc/keystone/keystone.conf
+ subPath: keystone.conf
+ readOnly: true
+ {{- if .Values.conf.keystone.DEFAULT.log_config_append }}
+ - name: keystone-etc
+ mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: keystone-bin
+ mountPath: /tmp/fernet-manage.py
+ subPath: fernet-manage.py
+ readOnly: true
+{{ if $mounts_keystone_fernet_setup.volumeMounts }}{{ toYaml $mounts_keystone_fernet_setup.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: etckeystone
+ emptyDir: {}
+ - name: fernet-keys
+ emptyDir: {}
+ - name: keystone-etc
+ secret:
+ secretName: keystone-etc
+ defaultMode: 0444
+ - name: keystone-bin
+ configMap:
+ name: keystone-bin
+ defaultMode: 0555
+{{ if $mounts_keystone_fernet_setup.volumes }}{{ toYaml $mounts_keystone_fernet_setup.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/templates/job-image-repo-sync.yaml b/charts/keystone/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..fd301c3
--- /dev/null
+++ b/charts/keystone/templates/job-image-repo-sync.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/keystone/templates/job-rabbit-init.yaml b/charts/keystone/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..2bb258e
--- /dev/null
+++ b/charts/keystone/templates/job-rabbit-init.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}}
+{{- if and .Values.manifests.certificates .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/keystone/templates/network_policy.yaml b/charts/keystone/templates/network_policy.yaml
new file mode 100644
index 0000000..91946e8
--- /dev/null
+++ b/charts/keystone/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "keystone" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/keystone/templates/pdb.yaml b/charts/keystone/templates/pdb.yaml
new file mode 100644
index 0000000..975a098
--- /dev/null
+++ b/charts/keystone/templates/pdb.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: keystone-api
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/keystone/templates/pod-rally-test.yaml b/charts/keystone/templates/pod-rally-test.yaml
new file mode 100644
index 0000000..c3730cc
--- /dev/null
+++ b/charts/keystone/templates/pod-rally-test.yaml
@@ -0,0 +1,123 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_rally_test }}
+{{- $envAll := . }}
+
+{{- $mounts_tests := .Values.pod.mounts.keystone_tests.keystone_tests }}
+{{- $mounts_tests_init := .Values.pod.mounts.keystone_tests.init_container }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ print $envAll.Release.Name "-test" }}
+ labels:
+{{ tuple $envAll "keystone" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ "helm.sh/hook": test-success
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "keystone-test" "containerNames" (list "init" "keystone-test" "keystone-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+ restartPolicy: Never
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
+ nodeSelector:
+ {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+ serviceAccountName: {{ $serviceAccountName }}
+ initContainers:
+{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+ - name: keystone-test-ks-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "keystone_test_ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
+ command:
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: keystone-bin
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{- end }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: "test"
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: SERVICE_OS_ROLE
+ value: {{ .Values.endpoints.identity.auth.test.role | quote }}
+ containers:
+ - name: keystone-test
+{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "keystone_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6}}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: RALLY_ENV_NAME
+ value: {{.Release.Name}}
+ command:
+ - /tmp/rally-test.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: keystone-etc
+ mountPath: /etc/rally/rally_tests.yaml
+ subPath: rally_tests.yaml
+ readOnly: true
+ - name: keystone-bin
+ mountPath: /tmp/rally-test.sh
+ subPath: rally-test.sh
+ readOnly: true
+ - name: rally-db
+ mountPath: /var/lib/rally
+ - name: rally-work
+ mountPath: /home/rally/.rally
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{- end }}
+{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: keystone-etc
+ secret:
+ secretName: keystone-etc
+ defaultMode: 0444
+ - name: keystone-bin
+ configMap:
+ name: keystone-bin
+ defaultMode: 0555
+ - name: rally-db
+ emptyDir: {}
+ - name: rally-work
+ emptyDir: {}
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{- end }}
+{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/keystone/templates/secret-credential-keys.yaml b/charts/keystone/templates/secret-credential-keys.yaml
new file mode 100644
index 0000000..8a2c5eb
--- /dev/null
+++ b/charts/keystone/templates/secret-credential-keys.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_credential_keys }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: keystone-credential-keys
+{{- if .Values.helm3_hook }}
+ annotations:
+ "helm.sh/hook": pre-install
+{{- end }}
+type: Opaque
+data:
+{{- end }}
diff --git a/charts/keystone/templates/secret-db.yaml b/charts/keystone/templates/secret-db.yaml
new file mode 100644
index 0000000..55ff593
--- /dev/null
+++ b/charts/keystone/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "keystone" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+ DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+ DB_CONNECTION: {{ $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/templates/secret-fernet-keys.yaml b/charts/keystone/templates/secret-fernet-keys.yaml
new file mode 100644
index 0000000..8af0973
--- /dev/null
+++ b/charts/keystone/templates/secret-fernet-keys.yaml
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_fernet_keys }}
+{{- $envAll := . }}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: keystone-fernet-keys
+{{- if .Values.helm3_hook }}
+ annotations:
+ "helm.sh/hook": pre-install
+{{- end }}
+type: Opaque
+data:
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/templates/secret-ingress-tls.yaml b/charts/keystone/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..e261b3c
--- /dev/null
+++ b/charts/keystone/templates/secret-ingress-tls.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "identity" ) }}
+{{- end }}
diff --git a/charts/keystone/templates/secret-keystone.yaml b/charts/keystone/templates/secret-keystone.yaml
new file mode 100644
index 0000000..5aa87ab
--- /dev/null
+++ b/charts/keystone/templates/secret-keystone.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/templates/secret-ldap-tls.yaml b/charts/keystone/templates/secret-ldap-tls.yaml
new file mode 100644
index 0000000..05ed724
--- /dev/null
+++ b/charts/keystone/templates/secret-ldap-tls.yaml
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.endpoints.ldap.auth.client.tls.ca }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Values.secrets.ldap.tls }}
+type: Opaque
+data:
+ tls.ca: {{ .Values.endpoints.ldap.auth.client.tls.ca | default "" | b64enc }}
+{{- end }}
diff --git a/charts/keystone/templates/secret-rabbitmq.yaml b/charts/keystone/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..fb7c704
--- /dev/null
+++ b/charts/keystone/templates/secret-rabbitmq.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- $rabbitmqProtocol := "http" }}
+{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
+{{- $rabbitmqProtocol = "https" }}
+{{- end }}
+{{- range $key1, $userClass := tuple "admin" "keystone" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/keystone/templates/service-api.yaml b/charts/keystone/templates/service-api.yaml
new file mode 100644
index 0000000..5fb0112
--- /dev/null
+++ b/charts/keystone/templates/service-api.yaml
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ {{- $portInt := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ - name: ks-pub
+ port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.api.node_port.enabled }}
+ nodePort: {{ .Values.network.api.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if or (.Values.network.api.node_port.enabled) (.Values.network.admin.node_port.enabled) }}
+ type: NodePort
+ {{ if .Values.network.api.external_policy_local }}
+ externalTrafficPolicy: Local
+ {{ end }}
+ {{ end }}
+{{- end }}
diff --git a/charts/keystone/templates/service-ingress-api.yaml b/charts/keystone/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..18c8fb2
--- /dev/null
+++ b/charts/keystone/templates/service-ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "identity" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/keystone/values.yaml b/charts/keystone/values.yaml
new file mode 100644
index 0000000..301ff6f
--- /dev/null
+++ b/charts/keystone/values.yaml
@@ -0,0 +1,1096 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for keystone.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+labels:
+ api:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ job:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ test:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+release_group: null
+
+# NOTE(gagehugo): the pre-install hook breaks upgrade for helm2
+# Set to false to upgrade using helm2
+helm3_hook: true
+
+images:
+ tags:
+ bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ test: docker.io/xrally/xrally-openstack:2.0.0
+ db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ keystone_db_sync: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
+ db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ rabbit_init: docker.io/rabbitmq:3.7-management
+ keystone_fernet_setup: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
+ keystone_fernet_rotate: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
+ keystone_credential_setup: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
+ keystone_credential_rotate: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
+ keystone_credential_cleanup: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ keystone_api: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
+ keystone_domain_manage: docker.io/openstackhelm/keystone:wallaby-ubuntu_focal
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ image_repo_sync: docker.io/docker:17.07.0
+ pull_policy: "IfNotPresent"
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+bootstrap:
+ enabled: true
+ ks_user: admin
+ script: |
+ # admin needs the admin role for the default domain
+ openstack role add \
+ --user="${OS_USERNAME}" \
+ --domain="${OS_DEFAULT_DOMAIN}" \
+ "admin"
+
+
+network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ external_policy_local: false
+ node_port:
+ enabled: false
+ port: 30500
+ admin:
+ node_port:
+ enabled: false
+ port: 30357
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - keystone-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ rabbit_init:
+ services:
+ - service: oslo_messaging
+ endpoint: internal
+ static:
+ api:
+ jobs:
+ - keystone-db-sync
+ - keystone-credential-setup
+ - keystone-fernet-setup
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ bootstrap:
+ jobs:
+ - keystone-domain-manage
+ services:
+ - endpoint: internal
+ service: identity
+ credential_rotate:
+ jobs:
+ - keystone-credential-setup
+ credential_setup: null
+ credential_cleanup:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_drop:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_init:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_sync:
+ jobs:
+ - keystone-db-init
+ - keystone-credential-setup
+ - keystone-fernet-setup
+ services:
+ - endpoint: internal
+ service: oslo_db
+ domain_manage:
+ services:
+ - endpoint: internal
+ service: identity
+ fernet_rotate:
+ jobs:
+ - keystone-fernet-setup
+ fernet_setup: null
+ tests:
+ services:
+ - endpoint: internal
+ service: identity
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+
+pod:
+ security_context:
+ keystone:
+ pod:
+ runAsUser: 42424
+ container:
+ keystone_api:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ credential_setup:
+ pod:
+ runAsUser: 42424
+ container:
+ keystone_credential_setup:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ fernet_setup:
+ pod:
+ runAsUser: 42424
+ container:
+ keystone_fernet_setup:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ fernet_rotate:
+ pod:
+ runAsUser: 42424
+ container:
+ keystone_fernet_rotate:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ domain_manage:
+ pod:
+ runAsUser: 42424
+ container:
+ keystone_domain_manage_init:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ keystone_domain_manage:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ test:
+ pod:
+ runAsUser: 42424
+ container:
+ keystone_test_ks_user:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ keystone_test:
+ runAsUser: 65500
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ weight:
+ default: 10
+ mounts:
+ keystone_db_init:
+ init_container: null
+ keystone_db_init:
+ volumeMounts:
+ volumes:
+ keystone_db_sync:
+ init_container: null
+ keystone_db_sync:
+ volumeMounts:
+ volumes:
+ keystone_api:
+ init_container: null
+ keystone_api:
+ volumeMounts:
+ volumes:
+ keystone_tests:
+ init_container: null
+ keystone_tests:
+ volumeMounts:
+ volumes:
+ keystone_bootstrap:
+ init_container: null
+ keystone_bootstrap:
+ volumeMounts:
+ volumes:
+ keystone_fernet_setup:
+ init_container: null
+ keystone_fernet_setup:
+ volumeMounts:
+ volumes:
+ keystone_fernet_rotate:
+ init_container: null
+ keystone_fernet_rotate:
+ volumeMounts:
+ volumes:
+ keystone_credential_setup:
+ init_container: null
+ keystone_credential_setup:
+ volumeMounts:
+ volumes:
+ keystone_credential_rotate:
+ init_container: null
+ keystone_credential_rotate:
+ volumeMounts:
+ volumes:
+ keystone_credential_cleanup:
+ init_container: null
+ keystone_credential_cleanup:
+ volumeMounts:
+ volumes:
+ keystone_domain_manage:
+ init_container: null
+ keystone_domain_manage:
+ volumeMounts:
+ volumes:
+ replicas:
+ api: 1
+ lifecycle:
+ upgrades:
+ deployments:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+ disruption_budget:
+ api:
+ min_available: 0
+ termination_grace_period:
+ api:
+ timeout: 30
+ resources:
+ enabled: false
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ bootstrap:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ domain_manage:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_drop:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ rabbit_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ tests:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ fernet_setup:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ fernet_rotate:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ credential_setup:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ credential_rotate:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ credential_cleanup:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ probes:
+ api:
+ api:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 15
+ periodSeconds: 60
+ timeoutSeconds: 15
+ liveness:
+ enabled: true
+ params:
+ initialDelaySeconds: 50
+ periodSeconds: 60
+ timeoutSeconds: 15
+jobs:
+ fernet_setup:
+ user: keystone
+ group: keystone
+ fernet_rotate:
+ # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
+ # max_active_keys = (token_expiration / rotation_frequency) + 2
+ # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
+ # 12 hours
+ cron: "0 */12 * * *"
+ user: keystone
+ group: keystone
+ history:
+ success: 3
+ failed: 1
+ credential_setup:
+ user: keystone
+ group: keystone
+ credential_rotate:
+ # monthly
+ cron: "0 0 1 * *"
+ migrate_wait: 120
+ user: keystone
+ group: keystone
+ history:
+ success: 3
+ failed: 1
+
+network_policy:
+ keystone:
+ ingress:
+ - {}
+ egress:
+ - {}
+
+conf:
+ security: |
+ #
+ # Disable access to the entire file system except for the directories that
+ # are explicitly allowed later.
+ #
+ # This currently breaks the configurations that come with some web application
+ # Debian packages.
+ #
+ #<Directory />
+ # AllowOverride None
+ # Require all denied
+ #</Directory>
+
+ # Changing the following options will not really affect the security of the
+ # server, but might make attacks slightly more difficult in some cases.
+
+ #
+ # ServerTokens
+ # This directive configures what you return as the Server HTTP response
+ # Header. The default is 'Full' which sends information about the OS-Type
+ # and compiled in modules.
+ # Set to one of: Full | OS | Minimal | Minor | Major | Prod
+ # where Full conveys the most information, and Prod the least.
+ ServerTokens Prod
+
+ #
+ # Optionally add a line containing the server version and virtual host
+ # name to server-generated pages (internal error documents, FTP directory
+ # listings, mod_status and mod_info output etc., but not CGI generated
+ # documents or custom error documents).
+ # Set to "EMail" to also include a mailto: link to the ServerAdmin.
+ # Set to one of: On | Off | EMail
+ ServerSignature Off
+
+ #
+ # Allow TRACE method
+ #
+ # Set to "extended" to also reflect the request body (only for testing and
+ # diagnostic purposes).
+ #
+ # Set to one of: On | Off | extended
+ TraceEnable Off
+
+ #
+ # Forbid access to version control directories
+ #
+ # If you use version control systems in your document root, you should
+ # probably deny access to their directories. For example, for subversion:
+ #
+ #<DirectoryMatch "/\.svn">
+ # Require all denied
+ #</DirectoryMatch>
+
+ #
+ # Setting this header will prevent MSIE from interpreting files as something
+ # else than declared by the content type in the HTTP headers.
+ # Requires mod_headers to be enabled.
+ #
+ #Header set X-Content-Type-Options: "nosniff"
+
+ #
+ # Setting this header will prevent other sites from embedding pages from this
+ # site as frames. This defends against clickjacking attacks.
+ # Requires mod_headers to be enabled.
+ #
+ #Header set X-Frame-Options: "sameorigin"
+ software:
+ apache2:
+ binary: apache2
+ start_parameters: -DFOREGROUND
+ site_dir: /etc/apache2/sites-enable
+ conf_dir: /etc/apache2/conf-enabled
+ mods_dir: /etc/apache2/mods-available
+ a2enmod: null
+ a2dismod: null
+ keystone:
+ DEFAULT:
+ log_config_append: /etc/keystone/logging.conf
+ max_token_size: 255
+ # NOTE(rk760n): if you need auth notifications to be sent, uncomment it
+ # notification_opt_out: ""
+ token:
+ provider: fernet
+ # 12 hours
+ expiration: 43200
+ identity:
+ domain_specific_drivers_enabled: True
+ domain_config_dir: /etc/keystone/domains
+ fernet_tokens:
+ key_repository: /etc/keystone/fernet-keys/
+ credential:
+ key_repository: /etc/keystone/credential-keys/
+ database:
+ max_retries: -1
+ cache:
+ enabled: true
+ backend: dogpile.cache.memcached
+ oslo_messaging_notifications:
+ driver: messagingv2
+ oslo_messaging_rabbit:
+ rabbit_ha_queues: true
+ oslo_middleware:
+ enable_proxy_headers_parsing: true
+ oslo_policy:
+ policy_file: /etc/keystone/policy.yaml
+ security_compliance:
+ # NOTE(vdrok): The following two options have effect only for SQL backend
+ lockout_failure_attempts: 5
+ lockout_duration: 1800
+ # NOTE(lamt) We can leverage multiple domains with different
+ # configurations as outlined in
+ # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
+ # A sample of the value override can be found in sample file:
+ # tools/overrides/example/keystone_domain_config.yaml
+ # ks_domains:
+ policy: {}
+ access_rules: {}
+ rabbitmq:
+ # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
+ policies:
+ - vhost: "keystone"
+ name: "ha_ttl_keystone"
+ definition:
+ # mirror messges to other nodes in rmq cluster
+ ha-mode: "all"
+ ha-sync-mode: "automatic"
+ # 70s
+ message-ttl: 70000
+ priority: 0
+ apply-to: all
+ pattern: '^(?!(amq\.|reply_)).*'
+ rally_tests:
+ run_tempest: false
+ tests:
+ KeystoneBasic.add_and_remove_user_role:
+ - runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.authenticate_user_and_validate_token:
+ - args: {}
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_add_and_list_user_roles:
+ - runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_and_delete_ec2credential:
+ - runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_and_list_ec2credentials:
+ - runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_and_delete_role:
+ - runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_and_delete_service:
+ - args:
+ description: test_description
+ service_type: Rally_test_type
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_and_get_role:
+ - args: {}
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_and_list_services:
+ - args:
+ description: test_description
+ service_type: Rally_test_type
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_and_list_tenants:
+ - args: {}
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_and_list_users:
+ - args: {}
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_delete_user:
+ - args: {}
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_tenant:
+ - args: {}
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_tenant_with_users:
+ - args:
+ users_per_tenant: 1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_update_and_delete_tenant:
+ - args: {}
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_user:
+ - args: {}
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_user_set_enabled_and_delete:
+ - args:
+ enabled: true
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ - args:
+ enabled: false
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.create_user_update_password:
+ - args: {}
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ KeystoneBasic.get_entities:
+ - runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ mpm_event: |
+ <IfModule mpm_event_module>
+ ServerLimit 1024
+ StartServers 32
+ MinSpareThreads 32
+ MaxSpareThreads 256
+ ThreadsPerChild 25
+ MaxRequestsPerChild 128
+ ThreadLimit 720
+ </IfModule>
+ wsgi_keystone: |
+ {{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+
+ Listen 0.0.0.0:{{ $portInt }}
+
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+
+ <VirtualHost *:{{ $portInt }}>
+ WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIProcessGroup keystone-public
+ WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ <IfVersion >= 2.4>
+ ErrorLogFormat "%{cu}t %M"
+ </IfVersion>
+ ErrorLog /dev/stdout
+
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+ </VirtualHost>
+ sso_callback_template: |
+ <!DOCTYPE html>
+ <html xmlns="http://www.w3.org/1999/xhtml">
+ <head>
+ <title>Keystone WebSSO redirect</title>
+ </head>
+ <body>
+ <form id="sso" name="sso" action="$host" method="post">
+ Please wait...
+ <br/>
+ <input type="hidden" name="token" id="token" value="$token"/>
+ <noscript>
+ <input type="submit" name="submit_no_javascript" id="submit_no_javascript"
+ value="If your JavaScript is disabled, please click to continue"/>
+ </noscript>
+ </form>
+ <script type="text/javascript">
+ window.onload = function() {
+ document.forms['sso'].submit();
+ }
+ </script>
+ </body>
+ </html>
+ logging:
+ loggers:
+ keys:
+ - root
+ - keystone
+ handlers:
+ keys:
+ - stdout
+ - stderr
+ - "null"
+ formatters:
+ keys:
+ - context
+ - default
+ logger_root:
+ level: WARNING
+ handlers: 'null'
+ logger_keystone:
+ level: INFO
+ handlers:
+ - stdout
+ qualname: keystone
+ logger_amqp:
+ level: WARNING
+ handlers: stderr
+ qualname: amqp
+ logger_amqplib:
+ level: WARNING
+ handlers: stderr
+ qualname: amqplib
+ logger_eventletwsgi:
+ level: WARNING
+ handlers: stderr
+ qualname: eventlet.wsgi.server
+ logger_sqlalchemy:
+ level: WARNING
+ handlers: stderr
+ qualname: sqlalchemy
+ logger_boto:
+ level: WARNING
+ handlers: stderr
+ qualname: boto
+ handler_null:
+ class: logging.NullHandler
+ formatter: default
+ args: ()
+ handler_stdout:
+ class: StreamHandler
+ args: (sys.stdout,)
+ formatter: context
+ handler_stderr:
+ class: StreamHandler
+ args: (sys.stderr,)
+ formatter: context
+ formatter_context:
+ class: oslo_log.formatters.ContextFormatter
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ formatter_default:
+ format: "%(message)s"
+ datefmt: "%Y-%m-%d %H:%M:%S"
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: keystone-keystone-admin
+ test: keystone-keystone-test
+ oslo_db:
+ admin: keystone-db-admin
+ keystone: keystone-db-user
+ oslo_messaging:
+ admin: keystone-rabbitmq-admin
+ keystone: keystone-rabbitmq-user
+ ldap:
+ tls: keystone-ldap-tls
+ tls:
+ identity:
+ api:
+ public: keystone-tls-public
+ internal: keystone-tls-api
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ identity:
+ namespace: null
+ name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ default_domain_id: default
+ test:
+ role: admin
+ region_name: RegionOne
+ username: keystone-test
+ password: password
+ project_name: test
+ user_domain_name: default
+ project_domain_name: default
+ default_domain_id: default
+ hosts:
+ default: keystone
+ internal: keystone-api
+ host_fqdn_override:
+ default: null
+ # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+ # endpoints using the following format:
+ # public:
+ # host: null
+ # tls:
+ # crt: null
+ # key: null
+ path:
+ default: /v3
+ scheme:
+ default: http
+ port:
+ api:
+ default: 80
+ # NOTE(portdirect): to retain portability across images, and allow
+ # running under a unprivileged user simply, we default to a port > 1000.
+ internal: 5000
+ oslo_db:
+ namespace: null
+ auth:
+ admin:
+ username: root
+ password: password
+ secret:
+ tls:
+ internal: mariadb-tls-direct
+ keystone:
+ username: keystone
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /keystone
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ oslo_messaging:
+ namespace: null
+ auth:
+ admin:
+ username: rabbitmq
+ password: password
+ secret:
+ tls:
+ internal: rabbitmq-tls-direct
+ keystone:
+ username: keystone
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /keystone
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ http:
+ default: 15672
+ oslo_cache:
+ namespace: null
+ hosts:
+ default: memcached
+ host_fqdn_override:
+ default: null
+ port:
+ memcache:
+ default: 11211
+ ldap:
+ auth:
+ client:
+ tls:
+ # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
+ # /etc/certs/tls.ca. To ensure keystone uses LDAPS, the
+ # following key will need to be overrided under section [ldap] or the
+ # correct domain-specific setting, else it will not be enabled:
+ #
+ # use_tls: true
+ # tls_req_cert: allow # Valid values: demand, never, allow
+ # tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert
+ ca: null
+ fluentd:
+ namespace: null
+ name: fluentd
+ hosts:
+ default: fluentd-logging
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: 'http'
+ port:
+ service:
+ default: 24224
+ metrics:
+ default: 24220
+ # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+ # They are using to enable the Egress K8s network policy.
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns:
+ default: 53
+ protocol: UDP
+ ingress:
+ namespace: null
+ name: ingress
+ hosts:
+ default: ingress
+ port:
+ ingress:
+ default: 80
+
+manifests:
+ certificates: false
+ configmap_bin: true
+ configmap_etc: true
+ cron_credential_rotate: true
+ cron_fernet_rotate: true
+ deployment_api: true
+ ingress_api: true
+ job_bootstrap: true
+ job_credential_cleanup: true
+ job_credential_setup: true
+ job_db_init: true
+ job_db_sync: true
+ job_db_drop: false
+ job_domain_manage: true
+ job_fernet_setup: true
+ job_image_repo_sync: true
+ job_rabbit_init: true
+ pdb_api: true
+ pod_rally_test: true
+ network_policy: false
+ secret_credential_keys: true
+ secret_db: true
+ secret_fernet_keys: true
+ secret_ingress_tls: true
+ secret_keystone: true
+ secret_rabbitmq: true
+ service_ingress_api: true
+ service_api: true
+...
diff --git a/charts/libvirt/.helmignore b/charts/libvirt/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/libvirt/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/libvirt/Chart.yaml b/charts/libvirt/Chart.yaml
new file mode 100644
index 0000000..68ea762
--- /dev/null
+++ b/charts/libvirt/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm libvirt
+home: https://libvirt.org
+maintainers:
+- name: OpenStack-Helm Authors
+name: libvirt
+sources:
+- https://libvirt.org/git/?p=libvirt.git;a=summary
+- https://opendev.org/openstack/openstack-helm
+version: 0.1.8
diff --git a/charts/libvirt/charts/helm-toolkit/Chart.yaml b/charts/libvirt/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..a0ccd1d
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.34
diff --git a/charts/libvirt/charts/helm-toolkit/requirements.lock b/charts/libvirt/charts/helm-toolkit/requirements.lock
new file mode 100644
index 0000000..da47547
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/requirements.lock
@@ -0,0 +1,3 @@
+dependencies: []
+digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
+generated: "2022-03-21T18:35:07.074136695Z"
diff --git a/charts/libvirt/charts/helm-toolkit/requirements.yaml b/charts/libvirt/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..c1693aa
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..3cc07cc
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..91fd5ad
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,166 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..b3348f5
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,165 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..0376343
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,133 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..2d130e1
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,126 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..8347b58
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,120 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..80960f4
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,150 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..7ecacce
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,125 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..9dc2859
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,143 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..3dd407e
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,155 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..6fed825
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,115 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/libvirt/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..cdc9ff5
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,471 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A FILETABLE
+create_hash_table() {
+unset FILETABLE
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ ARCHIVE_DATE=$( echo $ARCHIVE_FILE | awk -F/ '{print $NF}' | cut -d'.' -f 4)
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ INDEX=$(seconds_difference $(date --date $ARCHIVE_DATE +"%D"))
+ if [[ -z FILETABLE[${INDEX}] ]]; then
+ FILETABLE[${INDEX}]=${ARCHIVE_FILE}
+ else
+ FILETABLE[${INDEX}]="${FILETABLE[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${FILETABLE[${INDEX}]}"
+ done
+}
+
+remove_old_local_archives() {
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ SECONDS_TO_KEEP=$((${LOCAL_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+ ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+ if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -rf $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days"
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+ ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+ if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log_backup_error_exit \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}!"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f fd ]]; then
+ rm -f fd
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ create_hash_table $(ls -1 $ARCHIVE_DIR/*.gz)
+ remove_old_local_archives
+ fi
+
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ create_hash_table $(cat $DB_BACKUP_FILES)
+ remove_old_remote_archives
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..c2de3aa
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f 8
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..4cc898d
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/libvirt/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/libvirt/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_template.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/charts/helm-toolkit/values.yaml b/charts/libvirt/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/libvirt/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/libvirt/requirements.lock b/charts/libvirt/requirements.lock
new file mode 100644
index 0000000..ace5688
--- /dev/null
+++ b/charts/libvirt/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../helm-toolkit
+ version: 0.2.34
+digest: sha256:3e751b6e287477a9313edb791085b4430ca0a7fb983ea4b5245a825dc7e22619
+generated: "2022-03-21T18:35:10.37140708Z"
diff --git a/charts/libvirt/requirements.yaml b/charts/libvirt/requirements.yaml
new file mode 100644
index 0000000..84f0aff
--- /dev/null
+++ b/charts/libvirt/requirements.yaml
@@ -0,0 +1,18 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies:
+ - name: helm-toolkit
+ repository: file://../helm-toolkit
+ version: ">= 0.1.0"
+...
diff --git a/charts/libvirt/templates/bin/_ceph-admin-keyring.sh.tpl b/charts/libvirt/templates/bin/_ceph-admin-keyring.sh.tpl
new file mode 100644
index 0000000..8c36d4b
--- /dev/null
+++ b/charts/libvirt/templates/bin/_ceph-admin-keyring.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cat > /etc/ceph/ceph.client.admin.keyring << EOF
+[client.admin]
+{{- if .Values.conf.ceph.admin_keyring }}
+ key = {{ .Values.conf.ceph.admin_keyring }}
+{{- else }}
+ key = $(cat /tmp/client-keyring)
+{{- end }}
+EOF
+
+exit 0
diff --git a/charts/libvirt/templates/bin/_ceph-keyring.sh.tpl b/charts/libvirt/templates/bin/_ceph-keyring.sh.tpl
new file mode 100644
index 0000000..35f5c11
--- /dev/null
+++ b/charts/libvirt/templates/bin/_ceph-keyring.sh.tpl
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cp -fv /etc/ceph/ceph.conf.template /etc/ceph/ceph.conf
+
+KEYRING=/etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring
+{{- if .Values.conf.ceph.cinder.keyring }}
+cat > ${KEYRING} <<EOF
+[client.{{ .Values.conf.ceph.cinder.user }}]
+ key = {{ .Values.conf.ceph.cinder.keyring }}
+EOF
+{{- else }}
+if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
+ #
+ # If user is not client.admin, check if it already exists. If not create
+ # the user. If the cephx user does not exist make sure the caps are set
+ # according to best practices
+ #
+ if USERINFO=$(ceph auth get client.${CEPH_CINDER_USER}); then
+ echo "Cephx user client.${CEPH_CINDER_USER} already exist"
+ echo "Update user client.${CEPH_CINDER_USER} caps"
+ ceph auth caps client.${CEPH_CINDER_USER} \
+ mon "profile rbd" \
+ osd "profile rbd"
+ ceph auth get client.${CEPH_CINDER_USER} -o ${KEYRING}
+ else
+ echo "Creating Cephx user client.${CEPH_CINDER_USER}"
+ ceph auth get-or-create client.${CEPH_CINDER_USER} \
+ mon "profile rbd" \
+ osd "profile rbd" \
+ -o ${KEYRING}
+ fi
+ rm -f /etc/ceph/ceph.client.admin.keyring
+fi
+{{- end }}
diff --git a/charts/libvirt/templates/bin/_libvirt.sh.tpl b/charts/libvirt/templates/bin/_libvirt.sh.tpl
new file mode 100644
index 0000000..c419997
--- /dev/null
+++ b/charts/libvirt/templates/bin/_libvirt.sh.tpl
@@ -0,0 +1,177 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+if [ -n "$(cat /proc/*/comm 2>/dev/null | grep -w libvirtd)" ]; then
+ set +x
+ for proc in $(ls /proc/*/comm 2>/dev/null); do
+ if [ "x$(cat $proc 2>/dev/null | grep -w libvirtd)" == "xlibvirtd" ]; then
+ set -x
+ libvirtpid=$(echo $proc | cut -f 3 -d '/')
+ echo "WARNING: libvirtd daemon already running on host" 1>&2
+ echo "$(cat "/proc/${libvirtpid}/status" 2>/dev/null | grep State)" 1>&2
+ kill -9 "$libvirtpid" || true
+ set +x
+ fi
+ done
+ set -x
+fi
+
+rm -f /var/run/libvirtd.pid
+
+if [[ -c /dev/kvm ]]; then
+ chmod 660 /dev/kvm
+ chown root:kvm /dev/kvm
+fi
+
+#Setup Cgroups to use when breaking out of Kubernetes defined groups
+CGROUPS=""
+for CGROUP in cpu rdma hugetlb; do
+ if [ -d /sys/fs/cgroup/${CGROUP} ]; then
+ CGROUPS+="${CGROUP},"
+ fi
+done
+cgcreate -g ${CGROUPS%,}:/osh-libvirt
+
+# We assume that if hugepage count > 0, then hugepages should be exposed to libvirt/qemu
+hp_count="$(cat /proc/meminfo | grep HugePages_Total | tr -cd '[:digit:]')"
+if [ 0"$hp_count" -gt 0 ]; then
+
+ echo "INFO: Detected hugepage count of '$hp_count'. Enabling hugepage settings for libvirt/qemu."
+
+ # Enable KVM hugepages for QEMU
+ if [ -n "$(grep KVM_HUGEPAGES=0 /etc/default/qemu-kvm)" ]; then
+ sed -i 's/.*KVM_HUGEPAGES=0.*/KVM_HUGEPAGES=1/g' /etc/default/qemu-kvm
+ else
+ echo KVM_HUGEPAGES=1 >> /etc/default/qemu-kvm
+ fi
+
+ # Ensure that the hugepage mount location is available/mapped inside the
+ # container. This assumes use of the default ubuntu dev-hugepages.mount
+ # systemd unit which mounts hugepages at this location.
+ if [ ! -d /dev/hugepages ]; then
+ echo "ERROR: Hugepages configured in kernel, but libvirtd container cannot access /dev/hugepages"
+ exit 1
+ fi
+
+ # Kubernetes 1.10.x introduced cgroup changes that caused the container's
+ # hugepage byte limit quota to zero out. This workaround sets that pod limit
+ # back to the total number of hugepage bytes available to the baremetal host.
+ if [ -d /sys/fs/cgroup/hugetlb ]; then
+ limits="$(ls /sys/fs/cgroup/hugetlb/{{ .Values.conf.kubernetes.cgroup }}/hugetlb.*.limit_in_bytes)" || \
+ (echo "ERROR: Failed to locate any hugetable limits. Did you set the correct cgroup in your values used for this chart?"
+ exit 1)
+ for limit in $limits; do
+ target="/sys/fs/cgroup/hugetlb/$(dirname $(awk -F: '($2~/hugetlb/){print $3}' /proc/self/cgroup))/$(basename $limit)"
+ # Ensure the write target for the hugepage limit for the pod exists
+ if [ ! -f "$target" ]; then
+ echo "ERROR: Could not find write target for hugepage limit: $target"
+ fi
+
+ # Write hugetable limit for pod
+ echo "$(cat $limit)" > "$target"
+ done
+ fi
+
+ # Determine OS default hugepage size to use for the hugepage write test
+ default_hp_kb="$(cat /proc/meminfo | grep Hugepagesize | tr -cd '[:digit:]')"
+
+ # Attempt to write to the hugepage mount to ensure it is operational, but only
+ # if we have at least 1 free page.
+ num_free_pages="$(cat /sys/kernel/mm/hugepages/hugepages-${default_hp_kb}kB/free_hugepages | tr -cd '[:digit:]')"
+ echo "INFO: '$num_free_pages' free hugepages of size ${default_hp_kb}kB"
+ if [ 0"$num_free_pages" -gt 0 ]; then
+ (fallocate -o0 -l "$default_hp_kb" /dev/hugepages/foo && rm /dev/hugepages/foo) || \
+ (echo "ERROR: fallocate failed test at /dev/hugepages with size ${default_hp_kb}kB"
+ rm /dev/hugepages/foo
+ exit 1)
+ fi
+fi
+
+if [ -n "${LIBVIRT_CEPH_CINDER_SECRET_UUID}" ] ; then
+ #NOTE(portdirect): run libvirtd as a transient unit on the host with the osh-libvirt cgroups applied.
+ cgexec -g ${CGROUPS%,}:/osh-libvirt systemd-run --scope --slice=system libvirtd --listen &
+
+ tmpsecret=$(mktemp --suffix .xml)
+ if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
+ tmpsecret2=$(mktemp --suffix .xml)
+ fi
+ function cleanup {
+ rm -f "${tmpsecret}"
+ if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
+ rm -f "${tmpsecret2}"
+ fi
+ }
+ trap cleanup EXIT
+
+ # Wait for the libvirtd is up
+ TIMEOUT=60
+ while [[ ! -f /var/run/libvirtd.pid ]]; do
+ if [[ ${TIMEOUT} -gt 0 ]]; then
+ let TIMEOUT-=1
+ sleep 1
+ else
+ echo "ERROR: libvirt did not start in time (pid file missing)"
+ exit 1
+ fi
+ done
+
+ # Even though we see the pid file the socket immediately (this is
+ # needed for virsh)
+ TIMEOUT=10
+ while [[ ! -e /var/run/libvirt/libvirt-sock ]]; do
+ if [[ ${TIMEOUT} -gt 0 ]]; then
+ let TIMEOUT-=1
+ sleep 1
+ else
+ echo "ERROR: libvirt did not start in time (socket missing)"
+ exit 1
+ fi
+ done
+
+ function create_virsh_libvirt_secret {
+ sec_user=$1
+ sec_uuid=$2
+ sec_ceph_keyring=$3
+ cat > ${tmpsecret} <<EOF
+<secret ephemeral='no' private='no'>
+ <uuid>${sec_uuid}</uuid>
+ <usage type='ceph'>
+ <name>client.${sec_user}. secret</name>
+ </usage>
+</secret>
+EOF
+ virsh secret-define --file ${tmpsecret}
+ virsh secret-set-value --secret "${sec_uuid}" --base64 "${sec_ceph_keyring}"
+ }
+
+ if [ -z "${CEPH_CINDER_KEYRING}" ] ; then
+ CEPH_CINDER_KEYRING=$(awk '/key/{print $3}' /etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring)
+ fi
+ create_virsh_libvirt_secret ${CEPH_CINDER_USER} ${LIBVIRT_CEPH_CINDER_SECRET_UUID} ${CEPH_CINDER_KEYRING}
+
+ if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
+ EXTERNAL_CEPH_CINDER_KEYRING=$(cat /tmp/external-ceph-client-keyring)
+ create_virsh_libvirt_secret ${EXTERNAL_CEPH_CINDER_USER} ${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID} ${EXTERNAL_CEPH_CINDER_KEYRING}
+ fi
+
+ # rejoin libvirtd
+ wait
+else
+ #NOTE(portdirect): run libvirtd as a transient unit on the host with the osh-libvirt cgroups applied.
+ exec cgexec -g ${CGROUPS%,}:/osh-libvirt systemd-run --scope --slice=system libvirtd --listen
+fi
diff --git a/charts/libvirt/templates/configmap-apparmor.yaml b/charts/libvirt/templates/configmap-apparmor.yaml
new file mode 100644
index 0000000..a13e3c4
--- /dev/null
+++ b/charts/libvirt/templates/configmap-apparmor.yaml
@@ -0,0 +1,15 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- dict "envAll" . "component" "libvirt" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
diff --git a/charts/libvirt/templates/configmap-bin.yaml b/charts/libvirt/templates/configmap-bin.yaml
new file mode 100644
index 0000000..621e981
--- /dev/null
+++ b/charts/libvirt/templates/configmap-bin.yaml
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: libvirt-bin
+data:
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+ libvirt.sh: |
+{{ tuple "bin/_libvirt.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- if .Values.conf.ceph.enabled }}
+ ceph-keyring.sh: |
+{{ tuple "bin/_ceph-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ ceph-admin-keyring.sh: |
+{{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- end }}
diff --git a/charts/libvirt/templates/configmap-etc.yaml b/charts/libvirt/templates/configmap-etc.yaml
new file mode 100644
index 0000000..1fc344f
--- /dev/null
+++ b/charts/libvirt/templates/configmap-etc.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "libvirt.configmap.etc" }}
+{{- $configMapName := index . 0 }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $configMapName }}
+type: Opaque
+data:
+ libvirtd.conf: {{ include "libvirt.utils.to_libvirt_conf" .Values.conf.libvirt | b64enc }}
+ qemu.conf: {{ include "libvirt.utils.to_libvirt_conf" .Values.conf.qemu | b64enc }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- list "libvirt-etc" . | include "libvirt.configmap.etc" }}
+{{- end }}
diff --git a/charts/libvirt/templates/daemonset-libvirt.yaml b/charts/libvirt/templates/daemonset-libvirt.yaml
new file mode 100644
index 0000000..2c0ccda
--- /dev/null
+++ b/charts/libvirt/templates/daemonset-libvirt.yaml
@@ -0,0 +1,310 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "libvirtReadinessProbeTemplate" }}
+exec:
+ command:
+ - bash
+ - -c
+ - /usr/bin/virsh list
+{{- end }}
+{{- define "libvirtLivenessProbeTemplate" }}
+exec:
+ command:
+ - bash
+ - -c
+ - /usr/bin/virsh list
+{{- end }}
+
+{{- define "libvirt.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- $ssl_enabled := false }}
+{{- if eq $envAll.Values.conf.libvirt.listen_tls "1" }}
+{{- $ssl_enabled = true }}
+{{- end }}
+{{- with $envAll }}
+
+{{- $mounts_libvirt := .Values.pod.mounts.libvirt.libvirt }}
+{{- $mounts_libvirt_init := .Values.pod.mounts.libvirt.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: libvirt
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll $daemonset | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{- dict "envAll" $envAll "podName" "libvirt-libvirt-default" "containerNames" (list "libvirt") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+{{ dict "envAll" $envAll "application" "libvirt" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ nodeSelector:
+ {{ .Values.labels.agent.libvirt.node_selector_key }}: {{ .Values.labels.agent.libvirt.node_selector_value }}
+ hostNetwork: true
+ hostPID: true
+ hostIPC: true
+ dnsPolicy: {{ .Values.pod.dns_policy }}
+ initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_libvirt_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ dict "envAll" $envAll | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" | indent 8 }}
+{{- if .Values.conf.ceph.enabled }}
+ {{- if empty .Values.conf.ceph.cinder.keyring }}
+ - name: ceph-admin-keyring-placement
+{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "libvirt" "container" "ceph_admin_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: libvirt-bin
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty .Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ {{ end }}
+ - name: ceph-keyring-placement
+{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "libvirt" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: CEPH_CINDER_USER
+ value: "{{ .Values.conf.ceph.cinder.user }}"
+ {{- if .Values.conf.ceph.cinder.keyring }}
+ - name: CEPH_CINDER_KEYRING
+ value: "{{ .Values.conf.ceph.cinder.keyring }}"
+ {{ end }}
+ - name: LIBVIRT_CEPH_CINDER_SECRET_UUID
+ value: "{{ .Values.conf.ceph.cinder.secret_uuid }}"
+ command:
+ - /tmp/ceph-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: libvirt-bin
+ mountPath: /tmp/ceph-keyring.sh
+ subPath: ceph-keyring.sh
+ readOnly: true
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf.template
+ subPath: ceph.conf
+ readOnly: true
+{{- end }}
+ containers:
+ - name: libvirt
+{{ tuple $envAll "libvirt" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.libvirt | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "libvirt" "container" "libvirt" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ {{- if .Values.conf.ceph.enabled }}
+ env:
+ - name: CEPH_CINDER_USER
+ value: "{{ .Values.conf.ceph.cinder.user }}"
+ {{- if .Values.conf.ceph.cinder.keyring }}
+ - name: CEPH_CINDER_KEYRING
+ value: "{{ .Values.conf.ceph.cinder.keyring }}"
+ {{ end }}
+ - name: LIBVIRT_CEPH_CINDER_SECRET_UUID
+ value: "{{ .Values.conf.ceph.cinder.secret_uuid }}"
+ {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
+ - name: EXTERNAL_CEPH_CINDER_USER
+ value: "{{ .Values.conf.ceph.cinder.external_ceph.user }}"
+ - name: LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID
+ value: "{{ .Values.conf.ceph.cinder.external_ceph.secret_uuid }}"
+ {{ end }}
+ {{ end }}
+{{ dict "envAll" . "component" "libvirt" "container" "libvirt" "type" "readiness" "probeTemplate" (include "libvirtReadinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" . "component" "libvirt" "container" "libvirt" "type" "liveness" "probeTemplate" (include "libvirtLivenessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ command:
+ - /tmp/libvirt.sh
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - bash
+ - -c
+ - |-
+ kill $(cat /var/run/libvirtd.pid)
+ volumeMounts:
+ {{ dict "enabled" $ssl_enabled "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ {{ dict "enabled" $ssl_enabled "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ {{ dict "enabled" $ssl_enabled "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ {{ dict "enabled" $ssl_enabled "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: libvirt-bin
+ mountPath: /tmp/libvirt.sh
+ subPath: libvirt.sh
+ readOnly: true
+ - name: libvirt-etc
+ mountPath: /etc/libvirt/libvirtd.conf
+ subPath: libvirtd.conf
+ readOnly: true
+ - name: libvirt-etc
+ mountPath: /etc/libvirt/qemu.conf
+ subPath: qemu.conf
+ readOnly: true
+ - name: etc-libvirt-qemu
+ mountPath: /etc/libvirt/qemu
+ - mountPath: /lib/modules
+ name: libmodules
+ readOnly: true
+ - name: var-lib-libvirt
+ mountPath: /var/lib/libvirt
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: Bidirectional
+ {{- end }}
+ - name: var-lib-nova
+ mountPath: /var/lib/nova
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: Bidirectional
+ {{- end }}
+ - name: run
+ mountPath: /run
+ - name: dev
+ mountPath: /dev
+ - name: cgroup
+ mountPath: /sys/fs/cgroup
+ - name: logs
+ mountPath: /var/log/libvirt
+ - name: machine-id
+ mountPath: /etc/machine-id
+ readOnly: true
+ {{- if .Values.conf.ceph.enabled }}
+ - name: etcceph
+ mountPath: /etc/ceph
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: Bidirectional
+ {{- end }}
+ {{- if empty .Values.conf.ceph.cinder.keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{- end }}
+ {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
+ - name: external-ceph-keyring
+ mountPath: /tmp/external-ceph-client-keyring
+ subPath: key
+ readOnly: true
+ {{- end }}
+ {{- end }}
+{{ if $mounts_libvirt.volumeMounts }}{{ toYaml $mounts_libvirt.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.client "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+ {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+ {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+ {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+ - name: pod-tmp
+ emptyDir: {}
+ - name: libvirt-bin
+ configMap:
+ name: libvirt-bin
+ defaultMode: 0555
+ - name: libvirt-etc
+ secret:
+ secretName: {{ $configMapName }}
+ defaultMode: 0444
+ {{- if .Values.conf.ceph.enabled }}
+ - name: etcceph
+ hostPath:
+ path: /var/lib/openstack-helm/compute/libvirt
+ - name: ceph-etc
+ configMap:
+ name: {{ .Values.ceph_client.configmap }}
+ defaultMode: 0444
+ {{- if empty .Values.conf.ceph.cinder.keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: {{ .Values.ceph_client.user_secret_name }}
+ {{ end }}
+ {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
+ - name: external-ceph-keyring
+ secret:
+ secretName: {{ .Values.conf.ceph.cinder.external_ceph.user_secret_name }}
+ {{ end }}
+ {{ end }}
+ - name: libmodules
+ hostPath:
+ path: /lib/modules
+ - name: var-lib-libvirt
+ hostPath:
+ path: /var/lib/libvirt
+ - name: var-lib-nova
+ hostPath:
+ path: /var/lib/nova
+ - name: run
+ hostPath:
+ path: /run
+ - name: dev
+ hostPath:
+ path: /dev
+ - name: logs
+ hostPath:
+ path: /var/log/libvirt
+ - name: cgroup
+ hostPath:
+ path: /sys/fs/cgroup
+ - name: machine-id
+ hostPath:
+ path: /etc/machine-id
+ - name: etc-libvirt-qemu
+ hostPath:
+ path: /etc/libvirt/qemu
+{{ dict "envAll" $envAll "component" "libvirt" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" | indent 8 }}
+{{ if $mounts_libvirt.volumes }}{{ toYaml $mounts_libvirt.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_libvirt }}
+
+{{- $envAll := . }}
+{{- $daemonset := "libvirt" }}
+{{- $configMapName := "libvirt-etc" }}
+{{- $serviceAccountName := "libvirt" }}
+
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "libvirt" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "libvirt.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "libvirt.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+
+{{- end }}
diff --git a/charts/libvirt/templates/job-image-repo-sync.yaml b/charts/libvirt/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..d359d1a
--- /dev/null
+++ b/charts/libvirt/templates/job-image-repo-sync.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "libvirt" -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/libvirt/templates/network-policy.yaml b/charts/libvirt/templates/network-policy.yaml
new file mode 100644
index 0000000..6ed51aa
--- /dev/null
+++ b/charts/libvirt/templates/network-policy.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "libvirt" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/libvirt/templates/utils/_to_libvirt_conf.tpl b/charts/libvirt/templates/utils/_to_libvirt_conf.tpl
new file mode 100644
index 0000000..31e0978
--- /dev/null
+++ b/charts/libvirt/templates/utils/_to_libvirt_conf.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Builds a libvirt compatible config file.
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+ cgroup_controllers:
+ - cpu
+ - cpuacct
+usage: |
+ {{ include "libvirt.utils.to_libvirt_conf" .Values.conf.libvirt }}
+return: |
+ cgroup_controllers = [ "cpu", "cpuacct" ]
+ log_level = 3
+*/}}
+
+{{- define "libvirt.utils._to_libvirt_conf.list_to_string" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}, {{ end -}}{{- $v | quote -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
+
+{{- define "libvirt.utils.to_libvirt_conf" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = [ {{ include "libvirt.utils._to_libvirt_conf.list_to_string" $value }} ]
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/libvirt/values.yaml b/charts/libvirt/values.yaml
new file mode 100644
index 0000000..b6cab8d
--- /dev/null
+++ b/charts/libvirt/values.yaml
@@ -0,0 +1,221 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for libvirt.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+labels:
+ agent:
+ libvirt:
+ node_selector_key: openstack-compute-node
+ node_selector_value: enabled
+
+images:
+ tags:
+ libvirt: docker.io/openstackhelm/libvirt:latest-ubuntu_bionic
+ ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20200217'
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ image_repo_sync: docker.io/library/docker:17.07.0
+ pull_policy: "IfNotPresent"
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+network:
+ # provide what type of network wiring will be used
+ # possible options: openvswitch, linuxbridge, sriov
+ backend:
+ - openvswitch
+
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+
+network_policy:
+ libvirt:
+ ingress:
+ - {}
+ egress:
+ - {}
+
+ceph_client:
+ configmap: ceph-etc
+ user_secret_name: pvc-ceph-client-key
+
+conf:
+ ceph:
+ enabled: true
+ admin_keyring: null
+ cinder:
+ user: "cinder"
+ keyring: null
+ secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
+ # Cinder Ceph backend that is not configured by the k8s cluter
+ external_ceph:
+ enabled: false
+ user: null
+ secret_uuid: null
+ user_secret_name: null
+ libvirt:
+ listen_tcp: "1"
+ listen_tls: "0"
+ auth_tcp: "none"
+ ca_file: "/etc/pki/CA/cacert.pem"
+ cert_file: "/etc/pki/libvirt/servercert.pem"
+ key_file: "/etc/pki/libvirt/private/serverkey.pem"
+ auth_unix_rw: "none"
+ listen_addr: 127.0.0.1
+ log_level: "3"
+ log_outputs: "1:file:/var/log/libvirt/libvirtd.log"
+ qemu:
+ stdio_handler: "file"
+ user: "nova"
+ group: "kvm"
+ kubernetes:
+ cgroup: "kubepods"
+
+pod:
+ probes:
+ libvirt:
+ libvirt:
+ liveness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ periodSeconds: 60
+ timeoutSeconds: 5
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 15
+ periodSeconds: 60
+ timeoutSeconds: 5
+ security_context:
+ libvirt:
+ pod:
+ runAsUser: 0
+ container:
+ ceph_admin_keyring_placement:
+ readOnlyRootFilesystem: false
+ ceph_keyring_placement:
+ readOnlyRootFilesystem: false
+ libvirt:
+ privileged: true
+ readOnlyRootFilesystem: false
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ weight:
+ default: 10
+ dns_policy: "ClusterFirstWithHostNet"
+ mounts:
+ libvirt:
+ init_container: null
+ libvirt:
+ lifecycle:
+ upgrades:
+ daemonsets:
+ pod_replacement_strategy: RollingUpdate
+ libvirt:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ resources:
+ enabled: false
+ libvirt:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - libvirt-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ targeted:
+ openvswitch:
+ libvirt:
+ pod:
+ - requireSameNode: true
+ labels:
+ application: neutron
+ component: neutron-ovs-agent
+ linuxbridge:
+ libvirt:
+ pod:
+ - requireSameNode: true
+ labels:
+ application: neutron
+ component: neutron-lb-agent
+ sriov:
+ libvirt:
+ pod:
+ - requireSameNode: true
+ labels:
+ application: neutron
+ component: neutron-sriov-agent
+ static:
+ libvirt:
+ services: null
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+
+manifests:
+ configmap_bin: true
+ configmap_etc: true
+ daemonset_libvirt: true
+ job_image_repo_sync: true
+ network_policy: false
+
+secrets:
+ tls:
+ server: libvirt-tls-server
+ client: libvirt-tls-client
+...
diff --git a/charts/magnum/Chart.yaml b/charts/magnum/Chart.yaml
new file mode 100644
index 0000000..a834c53
--- /dev/null
+++ b/charts/magnum/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Magnum
+home: https://docs.openstack.org/magnum/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Magnum/OpenStack_Project_Magnum_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: magnum
+sources:
+- https://opendev.org/openstack/magnum
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.8
diff --git a/charts/magnum/charts/helm-toolkit/Chart.yaml b/charts/magnum/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..12e2dd2
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.50
diff --git a/charts/magnum/charts/helm-toolkit/requirements.yaml b/charts/magnum/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/magnum/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..4c476b2
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a authenticating a registry with a secret
+examples:
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/magnum/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..3739f95
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+ delete user \
+ name="guest" || true
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..687851e
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,571 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# verify_databases_backup_archives [scope]
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to verify the database backup archives. If this function
+# completes successfully (returns 0), the
+# framework will automatically starts remote backup upload.
+#
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log_verify_backup_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ # rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ # Calculation remote file SHA256 hash
+ REMOTE_FILE=$(mktemp -p /tmp)
+ openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+ rm -rf ${REMOTE_FILE}
+ return 1
+ fi
+
+ # Remote backup verification
+ SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+ SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+ log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+ log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+ log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+ if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+ log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+ else
+ log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+ return 1
+ fi
+ rm -rf ${REMOTE_FILE}
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+ local A_FILE="$1"
+ awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f ${fd} ]]; then
+ rm -f ${fd}
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ fi
+ done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ # Local backup verification process
+
+ # It is expected that this function will verify the database backup files
+ if verify_databases_backup_archives ${SCOPE}; then
+ log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+ else
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ fi
+ log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+ exit 1
+ fi
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ # Remote backup
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ get_backup_prefix $(cat $DB_BACKUP_FILES)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+ remove_old_remote_archives
+ done
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
\ No newline at end of file
diff --git a/charts/magnum/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f8-
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+ - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/magnum/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/magnum/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_template.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/magnum/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/magnum/charts/helm-toolkit/values.yaml b/charts/magnum/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/magnum/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/magnum/requirements.lock b/charts/magnum/requirements.lock
new file mode 100644
index 0000000..7769810
--- /dev/null
+++ b/charts/magnum/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: 0.2.50
+digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
+generated: "2023-01-13T22:23:23.269657087Z"
diff --git a/charts/magnum/requirements.yaml b/charts/magnum/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/magnum/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: ">= 0.1.0"
diff --git a/charts/magnum/templates/bin/_bootstrap.sh.tpl b/charts/magnum/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..6452d0a
--- /dev/null
+++ b/charts/magnum/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/magnum/templates/bin/_db-sync.sh.tpl b/charts/magnum/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..4669fb3
--- /dev/null
+++ b/charts/magnum/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+magnum-db-manage upgrade
diff --git a/charts/magnum/templates/bin/_magnum-api.sh.tpl b/charts/magnum/templates/bin/_magnum-api.sh.tpl
new file mode 100644
index 0000000..5786cea
--- /dev/null
+++ b/charts/magnum/templates/bin/_magnum-api.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ exec magnum-api \
+ --config-file /etc/magnum/magnum.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/magnum/templates/bin/_magnum-conductor-init.sh.tpl b/charts/magnum/templates/bin/_magnum-conductor-init.sh.tpl
new file mode 100644
index 0000000..5b4b414
--- /dev/null
+++ b/charts/magnum/templates/bin/_magnum-conductor-init.sh.tpl
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+tee /tmp/pod-shared/magnum.conf <<EOF
+[DEFAULT]
+host = ${POD_NAME}
+EOF
diff --git a/charts/magnum/templates/bin/_magnum-conductor.sh.tpl b/charts/magnum/templates/bin/_magnum-conductor.sh.tpl
new file mode 100644
index 0000000..9374f5e
--- /dev/null
+++ b/charts/magnum/templates/bin/_magnum-conductor.sh.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec magnum-conductor \
+ --config-file /etc/magnum/magnum.conf \
+ --config-file /tmp/pod-shared/magnum.conf
diff --git a/charts/magnum/templates/configmap-bin.yaml b/charts/magnum/templates/configmap-bin.yaml
new file mode 100644
index 0000000..bb526d5
--- /dev/null
+++ b/charts/magnum/templates/configmap-bin.yaml
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: magnum-bin
+data:
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+ bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+ db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+ db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+ ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+ ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+ ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+ ks-domain-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_domain_user" . | indent 4 }}
+ magnum-api.sh: |
+{{ tuple "bin/_magnum-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ magnum-conductor.sh: |
+{{ tuple "bin/_magnum-conductor.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ magnum-conductor-init.sh: |
+{{ tuple "bin/_magnum-conductor-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+{{- end }}
diff --git a/charts/magnum/templates/configmap-etc.yaml b/charts/magnum/templates/configmap-etc.yaml
new file mode 100644
index 0000000..466e2ae
--- /dev/null
+++ b/charts/magnum/templates/configmap-etc.yaml
@@ -0,0 +1,97 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.magnum.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.magnum.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.magnum.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.magnum.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.magnum.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "region_name" .Values.endpoints.identity.auth.magnum.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "project_name" .Values.endpoints.identity.auth.magnum.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.magnum.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.magnum.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "username" .Values.endpoints.identity.auth.magnum.username -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "password" .Values.endpoints.identity.auth.magnum.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.magnum.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.magnum.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.magnum.database.connection -}}
+{{- $_ := tuple "oslo_db" "internal" "magnum" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.magnum.database "connection" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.magnum.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "magnum" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.magnum.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.magnum.api.port -}}
+{{- $_ := tuple "container-infra" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.magnum.api "port" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.magnum.trust.trustee_domain_name -}}
+{{- $_ := set .Values.conf.magnum.trust "trustee_domain_name" .Values.endpoints.identity.auth.magnum_stack_user.domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.trust.trustee_domain_admin_name -}}
+{{- $_ := set .Values.conf.magnum.trust "trustee_domain_admin_name" .Values.endpoints.identity.auth.magnum_stack_user.username -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.trust.trustee_domain_admin_password -}}
+{{- $_ := set .Values.conf.magnum.trust "trustee_domain_admin_password" .Values.endpoints.identity.auth.magnum_stack_user.password -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: magnum-etc
+type: Opaque
+data:
+ magnum.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.magnum | b64enc }}
+ logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+ api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
+ policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+{{- end }}
diff --git a/charts/magnum/templates/deployment-api.yaml b/charts/magnum/templates/deployment-api.yaml
new file mode 100644
index 0000000..fbb43d2
--- /dev/null
+++ b/charts/magnum/templates/deployment-api.yaml
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_magnum_api := .Values.pod.mounts.magnum_api.magnum_api }}
+{{- $mounts_magnum_api_init := .Values.pod.mounts.magnum_api.init_container }}
+
+{{- $serviceAccountName := "magnum-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: magnum-api
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "magnum" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.api }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "magnum" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "magnum" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "magnum" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "api" $mounts_magnum_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: magnum-api
+{{ tuple $envAll "magnum_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ securityContext:
+ runAsUser: {{ .Values.pod.user.magnum.uid }}
+ command:
+ - /tmp/magnum-api.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/magnum-api.sh
+ - stop
+ ports:
+ - name: m-api
+ containerPort: {{ tuple "container-infra" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ readinessProbe:
+ httpGet:
+ scheme: HTTP
+ path: /
+ port: {{ tuple "container-infra" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ initialDelaySeconds: 15
+ periodSeconds: 10
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: magnum-bin
+ mountPath: /tmp/magnum-api.sh
+ subPath: magnum-api.sh
+ readOnly: true
+ - name: pod-etc-magnum
+ mountPath: /etc/magnum
+ - name: pod-var-cache-magnum
+ mountPath: /var/cache/magnum
+ - name: magnum-etc
+ mountPath: /etc/magnum/magnum.conf
+ subPath: magnum.conf
+ readOnly: true
+ {{- if .Values.conf.magnum.DEFAULT.log_config_append }}
+ - name: magnum-etc
+ mountPath: {{ .Values.conf.magnum.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.magnum.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: magnum-etc
+ mountPath: /etc/magnum/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: magnum-etc
+ mountPath: /etc/magnum/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: magnum-lock-path
+ mountPath: {{ .Values.conf.magnum.oslo_concurrency.lock_path }}
+{{ if $mounts_magnum_api.volumeMounts }}{{ toYaml $mounts_magnum_api.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-magnum
+ emptyDir: {}
+ - name: pod-var-cache-magnum
+ emptyDir: {}
+ - name: magnum-bin
+ configMap:
+ name: magnum-bin
+ defaultMode: 0555
+ - name: magnum-etc
+ secret:
+ secretName: magnum-etc
+ defaultMode: 0444
+ - name: magnum-lock-path
+ emptyDir: {}
+{{ if $mounts_magnum_api.volumes }}{{ toYaml $mounts_magnum_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/magnum/templates/ingress-api.yaml b/charts/magnum/templates/ingress-api.yaml
new file mode 100644
index 0000000..3bd1e40
--- /dev/null
+++ b/charts/magnum/templates/ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "container-infra" "backendPort" "m-api" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-bootstrap.yaml b/charts/magnum/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..83ecd2e
--- /dev/null
+++ b/charts/magnum/templates/job-bootstrap.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "magnum" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.magnum.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-db-drop.yaml b/charts/magnum/templates/job-db-drop.yaml
new file mode 100644
index 0000000..3d8c3ad
--- /dev/null
+++ b/charts/magnum/templates/job-db-drop.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "magnum" -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-db-init.yaml b/charts/magnum/templates/job-db-init.yaml
new file mode 100644
index 0000000..130e57c
--- /dev/null
+++ b/charts/magnum/templates/job-db-init.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "magnum" "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-db-sync.yaml b/charts/magnum/templates/job-db-sync.yaml
new file mode 100644
index 0000000..2b5baa3
--- /dev/null
+++ b/charts/magnum/templates/job-db-sync.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "magnum" "podVolMounts" .Values.pod.mounts.magnum_db_sync.magnum_db_sync.volumeMounts "podVols" .Values.pod.mounts.magnum_db_sync.magnum_db_sync.volumes "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-image-repo-sync.yaml b/charts/magnum/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..4cb0670
--- /dev/null
+++ b/charts/magnum/templates/job-image-repo-sync.yaml
@@ -0,0 +1,22 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "magnum" "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-ks-endpoints.yaml b/charts/magnum/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..179aeaa
--- /dev/null
+++ b/charts/magnum/templates/job-ks-endpoints.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "magnum" "serviceTypes" ( tuple "container-infra" ) "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-ks-service.yaml b/charts/magnum/templates/job-ks-service.yaml
new file mode 100644
index 0000000..5e7944b
--- /dev/null
+++ b/charts/magnum/templates/job-ks-service.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "magnum" "serviceTypes" ( tuple "container-infra" ) "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-ks-user-domain.yaml b/charts/magnum/templates/job-ks-user-domain.yaml
new file mode 100644
index 0000000..4521148
--- /dev/null
+++ b/charts/magnum/templates/job-ks-user-domain.yaml
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_ks_user_domain }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "magnum-ks-user-domain" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: magnum-domain-ks-user
+ annotations:
+ "helm.sh/hook": post-install,post-upgrade
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "magnum" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: magnum-ks-domain-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 10 }}
+ command:
+ - /tmp/ks-domain-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-domain-user.sh
+ subPath: ks-domain-user.sh
+ readOnly: true
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: "magnum"
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.secrets.identity.magnum_stack_user }}
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.secrets.identity.magnum_stack_user }}
+ key: OS_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.secrets.identity.magnum_stack_user }}
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.secrets.identity.magnum_stack_user }}
+ key: OS_PASSWORD
+ - name: SERVICE_OS_ROLE
+ value: {{ .Values.endpoints.identity.auth.magnum_stack_user.role | quote }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+ configMap:
+ name: magnum-bin
+ defaultMode: 0555
+{{- end }}
diff --git a/charts/magnum/templates/job-ks-user.yaml b/charts/magnum/templates/job-ks-user.yaml
new file mode 100644
index 0000000..cf34873
--- /dev/null
+++ b/charts/magnum/templates/job-ks-user.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "magnum" "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/magnum/templates/job-rabbit-init.yaml b/charts/magnum/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..399a32e
--- /dev/null
+++ b/charts/magnum/templates/job-rabbit-init.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "magnum" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/magnum/templates/network_policy.yaml b/charts/magnum/templates/network_policy.yaml
new file mode 100644
index 0000000..51076aa
--- /dev/null
+++ b/charts/magnum/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "magnum" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/magnum/templates/pdb-api.yaml b/charts/magnum/templates/pdb-api.yaml
new file mode 100644
index 0000000..db5cf71
--- /dev/null
+++ b/charts/magnum/templates/pdb-api.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: magnum-api
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "magnum" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/magnum/templates/secret-db.yaml b/charts/magnum/templates/secret-db.yaml
new file mode 100644
index 0000000..bb8ef38
--- /dev/null
+++ b/charts/magnum/templates/secret-db.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "magnum" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/templates/secret-keystone.yaml b/charts/magnum/templates/secret-keystone.yaml
new file mode 100644
index 0000000..3bbc5e6
--- /dev/null
+++ b/charts/magnum/templates/secret-keystone.yaml
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "magnum" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $envAll.Values.secrets.identity.magnum_stack_user }}
+type: Opaque
+data:
+ OS_AUTH_URL: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+ OS_REGION_NAME: {{ .Values.endpoints.identity.auth.magnum_stack_user.region_name | b64enc }}
+ OS_DOMAIN_NAME: {{ .Values.endpoints.identity.auth.magnum_stack_user.domain_name | b64enc }}
+ OS_USERNAME: {{ .Values.endpoints.identity.auth.magnum_stack_user.username | b64enc }}
+ OS_PASSWORD: {{ .Values.endpoints.identity.auth.magnum_stack_user.password | b64enc }}
+{{- end }}
diff --git a/charts/magnum/templates/secret-rabbitmq.yaml b/charts/magnum/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..2f267be
--- /dev/null
+++ b/charts/magnum/templates/secret-rabbitmq.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "magnum" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/magnum/templates/secret-registry.yaml b/charts/magnum/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/magnum/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/magnum/templates/service-api.yaml b/charts/magnum/templates/service-api.yaml
new file mode 100644
index 0000000..7c6a0d0
--- /dev/null
+++ b/charts/magnum/templates/service-api.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "container-infra" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: m-api
+ port: {{ tuple "container-infra" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.api.node_port.enabled }}
+ nodePort: {{ .Values.network.api.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "magnum" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.api.node_port.enabled }}
+ type: NodePort
+ {{ if .Values.network.api.external_policy_local }}
+ externalTrafficPolicy: Local
+ {{ end }}
+ {{ end }}
+{{- end }}
diff --git a/charts/magnum/templates/service-ingress-api.yaml b/charts/magnum/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..5c9513d
--- /dev/null
+++ b/charts/magnum/templates/service-ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "container-infra" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/magnum/templates/statefulset-conductor.yaml b/charts/magnum/templates/statefulset-conductor.yaml
new file mode 100644
index 0000000..44d8b02
--- /dev/null
+++ b/charts/magnum/templates/statefulset-conductor.yaml
@@ -0,0 +1,134 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.statefulset_conductor }}
+{{- $envAll := . }}
+
+{{- $mounts_magnum_conductor := .Values.pod.mounts.magnum_conductor.magnum_conductor }}
+{{- $mounts_magnum_conductor_init := .Values.pod.mounts.magnum_conductor.init_container }}
+
+{{- $serviceAccountName := "magnum-conductor" }}
+{{ tuple $envAll "conductor" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: magnum-conductor
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "magnum" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ serviceName: magnum-conductor
+ podManagementPolicy: "Parallel"
+ replicas: {{ .Values.pod.replicas.conductor }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "magnum" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "magnum" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "magnum" "conductor" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.conductor.node_selector_key }}: {{ .Values.labels.conductor.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "conductor" $mounts_magnum_conductor_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: magnum-conductor-init
+{{ tuple $envAll "magnum_conductor" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ securityContext:
+ runAsUser: {{ .Values.pod.user.magnum.uid }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ command:
+ - /tmp/magnum-conductor-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: magnum-bin
+ mountPath: /tmp/magnum-conductor-init.sh
+ subPath: magnum-conductor-init.sh
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ containers:
+ - name: magnum-conductor
+{{ tuple $envAll "magnum_conductor" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ securityContext:
+ runAsUser: {{ .Values.pod.user.magnum.uid }}
+ command:
+ - /tmp/magnum-conductor.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: magnum-bin
+ mountPath: /tmp/magnum-conductor.sh
+ subPath: magnum-conductor.sh
+ readOnly: true
+ - name: pod-etc-magnum
+ mountPath: /etc/magnum
+ - name: magnum-etc
+ mountPath: /etc/magnum/magnum.conf
+ subPath: magnum.conf
+ readOnly: true
+ {{- if .Values.conf.magnum.DEFAULT.log_config_append }}
+ - name: magnum-etc
+ mountPath: {{ .Values.conf.magnum.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.magnum.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: magnum-etc
+ mountPath: /etc/magnum/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: magnum-lock-path
+ mountPath: {{ .Values.conf.magnum.oslo_concurrency.lock_path }}
+ - name: magnum-certificate-cache
+ mountPath: {{ .Values.conf.magnum.cluster.temp_cache_dir }}
+{{ if $mounts_magnum_conductor.volumeMounts }}{{ toYaml $mounts_magnum_conductor.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-magnum
+ emptyDir: {}
+ - name: pod-shared
+ emptyDir: {}
+ - name: magnum-bin
+ configMap:
+ name: magnum-bin
+ defaultMode: 0555
+ - name: magnum-etc
+ secret:
+ secretName: magnum-etc
+ defaultMode: 0444
+ - name: magnum-lock-path
+ emptyDir: {}
+ - name: magnum-certificate-cache
+ emptyDir: {}
+{{ if $mounts_magnum_conductor.volumes }}{{ toYaml $mounts_magnum_conductor.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/magnum/values.yaml b/charts/magnum/values.yaml
new file mode 100644
index 0000000..4280f0b
--- /dev/null
+++ b/charts/magnum/values.yaml
@@ -0,0 +1,631 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for magnum.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+labels:
+ api:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ conductor:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ job:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+images:
+ tags:
+ bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ magnum_db_sync: docker.io/openstackhelm/magnum:wallaby-ubuntu_focal
+ db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ rabbit_init: docker.io/rabbitmq:3.7-management
+ ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ magnum_api: docker.io/openstackhelm/magnum:wallaby-ubuntu_focal
+ magnum_conductor: docker.io/openstackhelm/magnum:wallaby-ubuntu_focal
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ image_repo_sync: docker.io/docker:17.07.0
+ pull_policy: "IfNotPresent"
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+conf:
+ paste:
+ pipeline:main:
+ pipeline: cors healthcheck request_id authtoken api_v1
+ app:api_v1:
+ paste.app_factory: magnum.api.app:app_factory
+ filter:authtoken:
+ acl_public_routes: /, /v1
+ paste.filter_factory: magnum.api.middleware.auth_token:AuthTokenMiddleware.factory
+ filter:request_id:
+ paste.filter_factory: oslo_middleware:RequestId.factory
+ filter:cors:
+ paste.filter_factory: oslo_middleware.cors:filter_factory
+ oslo_config_project: magnum
+ filter:healthcheck:
+ paste.filter_factory: oslo_middleware:Healthcheck.factory
+ backends: disable_by_file
+ disable_by_file_path: /etc/magnum/healthcheck_disable
+ policy: {}
+ magnum:
+ DEFAULT:
+ log_config_append: /etc/magnum/logging.conf
+ transport_url: null
+ cluster:
+ temp_cache_dir: /var/lib/magnum/certificate-cache
+ oslo_messaging_notifications:
+ driver: messaging
+ oslo_concurrency:
+ lock_path: /var/lib/magnum/tmp
+ oslo_policy:
+ policy_file: /etc/magnum/policy.yaml
+ certificates:
+ cert_manager_type: barbican
+ database:
+ max_retries: -1
+ trust:
+ trustee_domain_name: null
+ keystone_authtoken:
+ auth_type: password
+ auth_version: v3
+ memcache_security_strategy: ENCRYPT
+ api:
+ # NOTE(portdirect): the bind port should not be defined, and is manipulated
+ # via the endpoints section.
+ port: null
+ host: 0.0.0.0
+ logging:
+ loggers:
+ keys:
+ - root
+ - magnum
+ handlers:
+ keys:
+ - stdout
+ - stderr
+ - "null"
+ formatters:
+ keys:
+ - context
+ - default
+ logger_root:
+ level: WARNING
+ handlers: 'null'
+ logger_magnum:
+ level: INFO
+ handlers:
+ - stdout
+ qualname: magnum
+ logger_amqp:
+ level: WARNING
+ handlers: stderr
+ qualname: amqp
+ logger_amqplib:
+ level: WARNING
+ handlers: stderr
+ qualname: amqplib
+ logger_eventletwsgi:
+ level: WARNING
+ handlers: stderr
+ qualname: eventlet.wsgi.server
+ logger_sqlalchemy:
+ level: WARNING
+ handlers: stderr
+ qualname: sqlalchemy
+ logger_boto:
+ level: WARNING
+ handlers: stderr
+ qualname: boto
+ handler_null:
+ class: logging.NullHandler
+ formatter: default
+ args: ()
+ handler_stdout:
+ class: StreamHandler
+ args: (sys.stdout,)
+ formatter: context
+ handler_stderr:
+ class: StreamHandler
+ args: (sys.stderr,)
+ formatter: context
+ formatter_context:
+ class: oslo_log.formatters.ContextFormatter
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ formatter_default:
+ format: "%(message)s"
+ datefmt: "%Y-%m-%d %H:%M:%S"
+
+network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ external_policy_local: false
+ node_port:
+ enabled: false
+ port: 30511
+
+bootstrap:
+ enabled: false
+ ks_user: magnum
+ script: |
+ openstack token issue
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - magnum-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ api:
+ jobs:
+ - magnum-db-sync
+ - magnum-ks-user
+ - magnum-domain-ks-user
+ - magnum-ks-endpoints
+ - magnum-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: key_manager
+ - endpoint: internal
+ service: orchestration
+ conductor:
+ jobs:
+ - magnum-db-sync
+ - magnum-ks-user
+ - magnum-domain-ks-user
+ - magnum-ks-endpoints
+ - magnum-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: key_manager
+ - endpoint: internal
+ service: orchestration
+ db_drop:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_init:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_sync:
+ jobs:
+ - magnum-db-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ ks_endpoints:
+ jobs:
+ - magnum-ks-service
+ services:
+ - endpoint: internal
+ service: identity
+ ks_service:
+ services:
+ - endpoint: internal
+ service: identity
+ ks_user:
+ services:
+ - endpoint: internal
+ service: identity
+ rabbit_init:
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: magnum-keystone-admin
+ magnum: magnum-keystone-user
+ magnum_stack_user: magnum-keystone-stack-user
+ oslo_db:
+ admin: magnum-db-admin
+ magnum: magnum-db-user
+ oslo_messaging:
+ admin: magnum-rabbitmq-admin
+ magnum: magnum-rabbitmq-user
+ oci_image_registry:
+ magnum: magnum-oci-image-registry
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ oci_image_registry:
+ name: oci-image-registry
+ namespace: oci-image-registry
+ auth:
+ enabled: false
+ magnum:
+ username: magnum
+ password: password
+ hosts:
+ default: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ default: null
+ identity:
+ name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ magnum:
+ role: admin
+ region_name: RegionOne
+ username: magnum
+ password: password
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ magnum_stack_user:
+ role: admin
+ region_name: RegionOne
+ username: magnum-domain
+ password: password
+ domain_name: magnum
+ hosts:
+ default: keystone
+ internal: keystone-api
+ host_fqdn_override:
+ default: null
+ path:
+ default: /v3
+ scheme:
+ default: http
+ port:
+ api:
+ default: 80
+ internal: 5000
+ container_infra:
+ name: magnum
+ hosts:
+ default: magnum-api
+ public: magnum
+ host_fqdn_override:
+ default: null
+ path:
+ default: /v1
+ scheme:
+ default: http
+ port:
+ api:
+ default: 9511
+ public: 80
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ path:
+ default: /v1
+ scheme:
+ default: http
+ port:
+ api:
+ default: 9311
+ public: 80
+ orchestration:
+ name: heat
+ hosts:
+ default: heat-api
+ public: heat
+ host_fqdn_override:
+ default: null
+ path:
+ default: '/v1/%(project_id)s'
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 8004
+ public: 80
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ magnum:
+ username: magnum
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /magnum
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ oslo_cache:
+ auth:
+ # NOTE(portdirect): this is used to define the value for keystone
+ # authtoken cache encryption key, if not set it will be populated
+ # automatically with a random value, but to take advantage of
+ # this feature all services should be set to use the same key,
+ # and memcache service.
+ memcache_secret_key: null
+ hosts:
+ default: memcached
+ host_fqdn_override:
+ default: null
+ port:
+ memcache:
+ default: 11211
+ oslo_messaging:
+ auth:
+ admin:
+ username: rabbitmq
+ password: password
+ magnum:
+ username: magnum
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /magnum
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ http:
+ default: 15672
+ fluentd:
+ namespace: null
+ name: fluentd
+ hosts:
+ default: fluentd-logging
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: 'http'
+ port:
+ service:
+ default: 24224
+ metrics:
+ default: 24220
+
+pod:
+ user:
+ magnum:
+ uid: 42424
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ weight:
+ default: 10
+ mounts:
+ magnum_api:
+ init_container: null
+ magnum_api:
+ volumeMounts:
+ volumes:
+ magnum_conductor:
+ init_container: null
+ magnum_conductor:
+ volumeMounts:
+ volumes:
+ magnum_bootstrap:
+ init_container: null
+ magnum_bootstrap:
+ volumeMounts:
+ volumes:
+ magnum_db_sync:
+ magnum_db_sync:
+ volumeMounts:
+ volumes:
+ replicas:
+ api: 1
+ conductor: 1
+ lifecycle:
+ upgrades:
+ deployments:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+ disruption_budget:
+ api:
+ min_available: 0
+ termination_grace_period:
+ api:
+ timeout: 30
+ resources:
+ enabled: false
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ conductor:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ bootstrap:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_drop:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_endpoints:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_service:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_user:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ rabbit_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ tests:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+
+
+network_policy:
+ magnum:
+ ingress:
+ - {}
+ egress:
+ - {}
+
+manifests:
+ configmap_bin: true
+ configmap_etc: true
+ deployment_api: true
+ ingress_api: true
+ job_bootstrap: true
+ job_db_init: true
+ job_db_sync: true
+ job_db_drop: false
+ job_image_repo_sync: true
+ job_ks_endpoints: true
+ job_ks_service: true
+ job_ks_user_domain: true
+ job_ks_user: true
+ job_rabbit_init: true
+ pdb_api: true
+ network_policy: false
+ secret_db: true
+ secret_keystone: true
+ secret_rabbitmq: true
+ secret_registry: true
+ service_api: true
+ service_ingress_api: true
+ statefulset_conductor: true
+...
diff --git a/charts/memcached/Chart.yaml b/charts/memcached/Chart.yaml
new file mode 100644
index 0000000..3dc1b9e
--- /dev/null
+++ b/charts/memcached/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+appVersion: v1.5.5
+description: OpenStack-Helm Memcached
+home: https://github.com/memcached/memcached
+name: memcached
+version: 0.1.12
diff --git a/charts/memcached/charts/helm-toolkit/Chart.yaml b/charts/memcached/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..12e2dd2
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.50
diff --git a/charts/memcached/charts/helm-toolkit/requirements.lock b/charts/memcached/charts/helm-toolkit/requirements.lock
new file mode 100644
index 0000000..08fae29
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/requirements.lock
@@ -0,0 +1,3 @@
+dependencies: []
+digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
+generated: "2023-01-13T19:09:10.042747731Z"
diff --git a/charts/memcached/charts/helm-toolkit/requirements.yaml b/charts/memcached/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/memcached/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..4c476b2
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a authenticating a registry with a secret
+examples:
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/memcached/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..3739f95
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+ delete user \
+ name="guest" || true
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..687851e
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,571 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# verify_databases_backup_archives [scope]
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to verify the database backup archives. If this function
+# completes successfully (returns 0), the
+# framework will automatically starts remote backup upload.
+#
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log_verify_backup_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ # rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ # Calculation remote file SHA256 hash
+ REMOTE_FILE=$(mktemp -p /tmp)
+ openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+ rm -rf ${REMOTE_FILE}
+ return 1
+ fi
+
+ # Remote backup verification
+ SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+ SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+ log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+ log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+ log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+ if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+ log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+ else
+ log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+ return 1
+ fi
+ rm -rf ${REMOTE_FILE}
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+ local A_FILE="$1"
+ awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f ${fd} ]]; then
+ rm -f ${fd}
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ fi
+ done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ # Local backup verification process
+
+ # It is expected that this function will verify the database backup files
+ if verify_databases_backup_archives ${SCOPE}; then
+ log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+ else
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ fi
+ log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+ exit 1
+ fi
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ # Remote backup
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ get_backup_prefix $(cat $DB_BACKUP_FILES)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+ remove_old_remote_archives
+ done
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
\ No newline at end of file
diff --git a/charts/memcached/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f8-
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+ - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/memcached/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/memcached/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_template.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/memcached/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/memcached/charts/helm-toolkit/values.yaml b/charts/memcached/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/memcached/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/memcached/requirements.lock b/charts/memcached/requirements.lock
new file mode 100644
index 0000000..79d0964
--- /dev/null
+++ b/charts/memcached/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../helm-toolkit
+ version: 0.2.50
+digest: sha256:7bb7761d375d7b44849ba551843e572bf8ee2208775d55d4b742e799d0e81799
+generated: "2023-01-13T19:09:24.258595766Z"
diff --git a/charts/memcached/requirements.yaml b/charts/memcached/requirements.yaml
new file mode 100644
index 0000000..84f0aff
--- /dev/null
+++ b/charts/memcached/requirements.yaml
@@ -0,0 +1,18 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies:
+ - name: helm-toolkit
+ repository: file://../helm-toolkit
+ version: ">= 0.1.0"
+...
diff --git a/charts/memcached/templates/bin/_memcached-exporter.sh.tpl b/charts/memcached/templates/bin/_memcached-exporter.sh.tpl
new file mode 100644
index 0000000..d10e6b7
--- /dev/null
+++ b/charts/memcached/templates/bin/_memcached-exporter.sh.tpl
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ exec /bin/memcached_exporter
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/memcached/templates/bin/_memcached.sh.tpl b/charts/memcached/templates/bin/_memcached.sh.tpl
new file mode 100644
index 0000000..c727c28
--- /dev/null
+++ b/charts/memcached/templates/bin/_memcached.sh.tpl
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+memcached --version
+exec memcached -v \
+ -p ${MEMCACHED_PORT} \
+ -U 0 \
+{{- if not .Values.conf.memcached.stats_cachedump.enabled }}
+ -X \
+{{- end }}
+ -c ${MEMCACHED_MAX_CONNECTIONS} \
+ -m ${MEMCACHED_MEMORY}
diff --git a/charts/memcached/templates/configmap-apparmor.yaml b/charts/memcached/templates/configmap-apparmor.yaml
new file mode 100644
index 0000000..0a06bf7
--- /dev/null
+++ b/charts/memcached/templates/configmap-apparmor.yaml
@@ -0,0 +1,15 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- dict "envAll" . "component" "memcached" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
diff --git a/charts/memcached/templates/configmap-bin.yaml b/charts/memcached/templates/configmap-bin.yaml
new file mode 100644
index 0000000..f14bd24
--- /dev/null
+++ b/charts/memcached/templates/configmap-bin.yaml
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $configMapBinName := printf "%s-%s" $envAll.deployment_name "memcached-bin" }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $configMapBinName }}
+data:
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+ memcached.sh: |
+{{ tuple "bin/_memcached.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ memcached-exporter.sh: |
+{{ tuple "bin/_memcached-exporter.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/memcached/templates/deployment.yaml b/charts/memcached/templates/deployment.yaml
new file mode 100644
index 0000000..b3d12ea
--- /dev/null
+++ b/charts/memcached/templates/deployment.yaml
@@ -0,0 +1,123 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
+{{- if .Values.manifests.deployment }}
+{{- $envAll := . }}
+
+{{- $rcControllerName := printf "%s-%s" $envAll.deployment_name "memcached" }}
+{{- $configMapBinName := printf "%s-%s" $envAll.deployment_name "memcached-bin" }}
+
+{{ tuple $envAll "memcached" $rcControllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ $rcControllerName | quote }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "memcached" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.server }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "memcached" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ annotations:
+{{ dict "envAll" $envAll "podName" "memcached" "containerNames" (list "init" "memcached") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ labels:
+{{ tuple $envAll "memcached" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ shareProcessNamespace: true
+ serviceAccountName: {{ $rcControllerName | quote }}
+ affinity:
+{{ tuple $envAll "memcached" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value | quote }}
+{{ if $envAll.Values.pod.tolerations.memcached.enabled }}
+{{ tuple $envAll "memcached" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.memcached.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "memcached" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ dict "envAll" $envAll | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" | indent 8 }}
+ containers:
+ - name: memcached
+{{ tuple $envAll "memcached" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "memcached" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: MEMCACHED_PORT
+ value: {{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+ - name: MEMCACHED_MAX_CONNECTIONS
+ value: {{ .Values.conf.memcached.max_connections | quote }}
+ - name: MEMCACHED_MEMORY
+ value: {{ .Values.conf.memcached.memory | quote }}
+ command:
+ - /tmp/memcached.sh
+ ports:
+ - containerPort: {{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: memcached-bin
+ mountPath: /tmp/memcached.sh
+ subPath: memcached.sh
+ readOnly: true
+{{- if .Values.monitoring.prometheus.enabled }}
+ - name: memcached-exporter
+ image: {{ .Values.images.tags.prometheus_memcached_exporter }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.prometheus_memcached_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "memcached_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/memcached-exporter.sh
+ - start
+ ports:
+ - name: metrics
+ containerPort: {{ tuple "oslo_cache" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ tuple "oslo_cache" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: memcached-bin
+ mountPath: /tmp/memcached-exporter.sh
+ subPath: memcached-exporter.sh
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: memcached-bin
+ configMap:
+ name: {{ $configMapBinName | quote }}
+ defaultMode: 0555
+{{ dict "envAll" $envAll "component" "memcached" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" | indent 8 }}
+{{- end }}
diff --git a/charts/memcached/templates/job-image-repo-sync.yaml b/charts/memcached/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..ae519ff
--- /dev/null
+++ b/charts/memcached/templates/job-image-repo-sync.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "memcached" -}}
+{{- if .Values.pod.tolerations.memcached.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/memcached/templates/network_policy.yaml b/charts/memcached/templates/network_policy.yaml
new file mode 100644
index 0000000..9beab0d
--- /dev/null
+++ b/charts/memcached/templates/network_policy.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "memcached" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/memcached/templates/secret-registry.yaml b/charts/memcached/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/memcached/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/memcached/templates/service.yaml b/charts/memcached/templates/service.yaml
new file mode 100644
index 0000000..0280d63
--- /dev/null
+++ b/charts/memcached/templates/service.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "oslo_cache" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ sessionAffinity: ClientIP
+ ports:
+ - name: memcache
+ port: {{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- if .Values.monitoring.prometheus.enabled }}
+ - name: metrics
+ port: {{ tuple "oslo_cache" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+ selector:
+{{ tuple $envAll "memcached" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}
diff --git a/charts/memcached/values.yaml b/charts/memcached/values.yaml
new file mode 100644
index 0000000..b9e6339
--- /dev/null
+++ b/charts/memcached/values.yaml
@@ -0,0 +1,209 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for memcached.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+conf:
+ memcached:
+ max_connections: 8192
+ # NOTE(pordirect): this should match the value in
+ # `pod.resources.memcached.memory`
+ memory: 1024
+ stats_cachedump:
+ enabled: true
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - memcached-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ memcached:
+ jobs: null
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+
+secrets:
+ oci_image_registry:
+ memcached: memcached-oci-image-registry-key
+
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ oci_image_registry:
+ name: oci-image-registry
+ namespace: oci-image-registry
+ auth:
+ enabled: false
+ memcached:
+ username: memcached
+ password: password
+ hosts:
+ default: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ default: null
+ oslo_cache:
+ namespace: null
+ host_fqdn_override:
+ default: null
+ hosts:
+ default: memcached
+ port:
+ memcache:
+ default: 11211
+ metrics:
+ default: 9150
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+
+network_policy:
+ memcached:
+ ingress:
+ - {}
+ egress:
+ - {}
+
+monitoring:
+ prometheus:
+ enabled: false
+ memcached_exporter:
+ scrape: true
+
+images:
+ pull_policy: IfNotPresent
+ tags:
+ dep_check: 'quay.io/airshipit/kubernetes-entrypoint:v1.0.0'
+ memcached: 'docker.io/library/memcached:1.5.5'
+ prometheus_memcached_exporter: docker.io/prom/memcached-exporter:v0.4.1
+ image_repo_sync: docker.io/library/docker:17.07.0
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+labels:
+ server:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+manifests:
+ configmap_bin: true
+ deployment: true
+ job_image_repo_sync: true
+ network_policy: false
+ service: true
+ secret_registry: true
+
+pod:
+ security_context:
+ server:
+ pod:
+ runAsUser: 65534
+ container:
+ memcached:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ memcached_exporter:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+ tolerations:
+ memcached:
+ enabled: false
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ effect: NoSchedule
+ lifecycle:
+ upgrades:
+ deployments:
+ pod_replacement_strategy: RollingUpdate
+ revision_history: 3
+ rolling_update:
+ max_surge: 3
+ max_unavailable: 1
+ termination_grace_period:
+ memcached:
+ timeout: 30
+ replicas:
+ server: 1
+ resources:
+ enabled: false
+ memcached:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ requests:
+ cpu: "500m"
+ memory: "128Mi"
+ prometheus_memcached_exporter:
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ requests:
+ cpu: 500m
+ memory: 128Mi
+ jobs:
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+...
diff --git a/charts/memcached/values_overrides/apparmor.yaml b/charts/memcached/values_overrides/apparmor.yaml
new file mode 100644
index 0000000..1d95222
--- /dev/null
+++ b/charts/memcached/values_overrides/apparmor.yaml
@@ -0,0 +1,15 @@
+---
+pod:
+ mandatory_access_control:
+ type: apparmor
+ prometheus_memcached_exporter:
+ init: runtime/default
+ memcached-exporter: runtime/default
+ memcached:
+ init: runtime/default
+ memcached: runtime/default
+
+monitoring:
+ prometheus:
+ enabled: false
+...
diff --git a/charts/memcached/values_overrides/netpol.yaml b/charts/memcached/values_overrides/netpol.yaml
new file mode 100644
index 0000000..c4d3079
--- /dev/null
+++ b/charts/memcached/values_overrides/netpol.yaml
@@ -0,0 +1,77 @@
+---
+manifests:
+ network_policy: true
+network_policy:
+ memcached:
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: ingress
+ - podSelector:
+ matchLabels:
+ application: keystone
+ - podSelector:
+ matchLabels:
+ application: heat
+ - podSelector:
+ matchLabels:
+ application: glance
+ - podSelector:
+ matchLabels:
+ application: cinder
+ - podSelector:
+ matchLabels:
+ application: barbican
+ - podSelector:
+ matchLabels:
+ application: ceilometer
+ - podSelector:
+ matchLabels:
+ application: horizon
+ - podSelector:
+ matchLabels:
+ application: ironic
+ - podSelector:
+ matchLabels:
+ application: magnum
+ - podSelector:
+ matchLabels:
+ application: mistral
+ - podSelector:
+ matchLabels:
+ application: nova
+ - podSelector:
+ matchLabels:
+ application: neutron
+ - podSelector:
+ matchLabels:
+ application: senlin
+ - podSelector:
+ matchLabels:
+ application: placement
+ - podSelector:
+ matchLabels:
+ application: prometheus_memcached_exporter
+ - podSelector:
+ matchLabels:
+ application: aodh
+ - podSelector:
+ matchLabels:
+ application: rally
+ - podSelector:
+ matchLabels:
+ application: memcached
+ ports:
+ - port: 11211
+ protocol: TCP
+ - port: 9150
+ protocol: TCP
+ egress:
+ - to:
+ - ipBlock:
+ cidr: %%%REPLACE_API_ADDR%%%/32
+ ports:
+ - protocol: TCP
+ port: %%%REPLACE_API_PORT%%%
+...
diff --git a/charts/neutron/.helmignore b/charts/neutron/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/neutron/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/neutron/Chart.yaml b/charts/neutron/Chart.yaml
new file mode 100644
index 0000000..4270928
--- /dev/null
+++ b/charts/neutron/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Neutron
+home: https://docs.openstack.org/neutron/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: neutron
+sources:
+- https://opendev.org/openstack/neutron
+- https://opendev.org/openstack/openstack-helm
+version: 0.3.2
diff --git a/charts/neutron/charts/helm-toolkit/Chart.yaml b/charts/neutron/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..12e2dd2
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.50
diff --git a/charts/neutron/charts/helm-toolkit/requirements.yaml b/charts/neutron/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/neutron/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..4c476b2
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a authenticating a registry with a secret
+examples:
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/neutron/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..3739f95
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+ delete user \
+ name="guest" || true
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..687851e
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,571 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# verify_databases_backup_archives [scope]
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to verify the database backup archives. If this function
+# completes successfully (returns 0), the
+# framework will automatically starts remote backup upload.
+#
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log_verify_backup_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ # rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ # Calculation remote file SHA256 hash
+ REMOTE_FILE=$(mktemp -p /tmp)
+ openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+ rm -rf ${REMOTE_FILE}
+ return 1
+ fi
+
+ # Remote backup verification
+ SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+ SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+ log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+ log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+ log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+ if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+ log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+ else
+ log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+ return 1
+ fi
+ rm -rf ${REMOTE_FILE}
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+ local A_FILE="$1"
+ awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f ${fd} ]]; then
+ rm -f ${fd}
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ fi
+ done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ # Local backup verification process
+
+ # It is expected that this function will verify the database backup files
+ if verify_databases_backup_archives ${SCOPE}; then
+ log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+ else
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ fi
+ log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+ exit 1
+ fi
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ # Remote backup
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ get_backup_prefix $(cat $DB_BACKUP_FILES)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+ remove_old_remote_archives
+ done
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
\ No newline at end of file
diff --git a/charts/neutron/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f8-
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+ - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/neutron/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/neutron/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_template.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/neutron/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/neutron/charts/helm-toolkit/values.yaml b/charts/neutron/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/neutron/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/neutron/requirements.lock b/charts/neutron/requirements.lock
new file mode 100644
index 0000000..46a4863
--- /dev/null
+++ b/charts/neutron/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: 0.2.50
+digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
+generated: "2023-01-13T22:23:11.317665226Z"
diff --git a/charts/neutron/requirements.yaml b/charts/neutron/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/neutron/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: ">= 0.1.0"
diff --git a/charts/neutron/templates/bin/_bootstrap.sh.tpl b/charts/neutron/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..6452d0a
--- /dev/null
+++ b/charts/neutron/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/neutron/templates/bin/_db-sync.sh.tpl b/charts/neutron/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..58edecf
--- /dev/null
+++ b/charts/neutron/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+neutron-db-manage \
+ --config-file /etc/neutron/neutron.conf \
+{{- if ( has "tungstenfabric" .Values.network.backend ) }}
+ --config-file /etc/neutron/plugins/tungstenfabric/tf_plugin.ini \
+{{- else }}
+ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
+{{- end }}
+ upgrade head
+
+{{- if .Values.conf.plugins.taas.taas.enabled }}
+neutron-db-manage \
+ --config-file /etc/neutron/neutron.conf \
+ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
+ --subproject tap-as-a-service \
+ upgrade head
+{{- end }}
diff --git a/charts/neutron/templates/bin/_health-probe.py.tpl b/charts/neutron/templates/bin/_health-probe.py.tpl
new file mode 100644
index 0000000..1ba4107
--- /dev/null
+++ b/charts/neutron/templates/bin/_health-probe.py.tpl
@@ -0,0 +1,334 @@
+#!/usr/bin/env python
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+"""
+Health probe script for OpenStack agents that uses RPC/unix domain socket for
+communication. Sends message to agent through rpc call method and expects a
+reply. It is expected to receive a failure from the agent's RPC server as the
+method does not exist.
+
+Script returns failure to Kubernetes only when
+ a. agent is not reachable or
+ b. agent times out sending a reply.
+
+sys.stderr.write() writes to pod's events on failures.
+
+Usage example for Neutron L3 agent:
+# python health-probe.py --config-file /etc/neutron/neutron.conf \
+# --config-file /etc/neutron/l3_agent.ini --agent-queue-name l3_agent
+
+Usage example for Neutron metadata agent:
+# python health-probe.py --config-file /etc/neutron/neutron.conf \
+# --config-file /etc/neutron/metadata_agent.ini
+"""
+
+import httplib2
+from http import client as httplib
+import json
+import os
+import psutil
+import signal
+import socket
+import sys
+
+from oslo_config import cfg
+from oslo_context import context
+from oslo_log import log
+import oslo_messaging
+
+rpc_timeout = int(os.getenv('RPC_PROBE_TIMEOUT', '60'))
+rpc_retries = int(os.getenv('RPC_PROBE_RETRIES', '2'))
+rabbit_port = 5672
+tcp_established = "ESTABLISHED"
+log.logging.basicConfig(level=log.{{ .Values.health_probe.logging.level }})
+
+
+def _get_hostname(use_fqdn):
+ if use_fqdn:
+ return socket.getfqdn()
+ return socket.gethostname()
+
+def check_agent_status(transport):
+ """Verify agent status. Return success if agent consumes message"""
+ try:
+ use_fqdn = cfg.CONF.use_fqdn
+ target = oslo_messaging.Target(
+ topic=cfg.CONF.agent_queue_name,
+ server=_get_hostname(use_fqdn))
+ client = oslo_messaging.RPCClient(transport, target,
+ timeout=rpc_timeout,
+ retry=rpc_retries)
+ client.call(context.RequestContext(),
+ 'pod_health_probe_method_ignore_errors')
+ except oslo_messaging.exceptions.MessageDeliveryFailure:
+ # Log to pod events
+ sys.stderr.write("Health probe unable to reach message bus")
+ sys.exit(0) # return success
+ except oslo_messaging.rpc.client.RemoteError as re:
+ message = getattr(re, "message", str(re))
+ if ("Endpoint does not support RPC method" in message) or \
+ ("Endpoint does not support RPC version" in message):
+ sys.exit(0) # Call reached the agent
+ else:
+ sys.stderr.write("Health probe unable to reach agent")
+ sys.exit(1) # return failure
+ except oslo_messaging.exceptions.MessagingTimeout:
+ sys.stderr.write("Health probe timed out. Agent is down or response "
+ "timed out")
+ sys.exit(1) # return failure
+ except Exception as ex:
+ message = getattr(ex, "message", str(ex))
+ sys.stderr.write("Health probe caught exception sending message to "
+ "agent: %s" % message)
+ sys.exit(0)
+ except:
+ sys.stderr.write("Health probe caught exception sending message to"
+ " agent")
+ sys.exit(0)
+
+
+def sriov_readiness_check():
+ """Checks the sriov configuration on the sriov nic's"""
+ return_status = 1
+ with open('/etc/neutron/plugins/ml2/sriov_agent.ini') as nic:
+ for phy in nic:
+ if "physical_device_mappings" in phy:
+ phy_dev = phy.split('=', 1)[1]
+ phy_dev1 = phy_dev.rstrip().split(',')
+ if not phy_dev1:
+ sys.stderr.write("No Physical devices"
+ " configured as SRIOV NICs")
+ sys.exit(1)
+ for intf in phy_dev1:
+ phy, dev = intf.split(':')
+ try:
+ with open('/sys/class/net/%s/device/'
+ 'sriov_numvfs' % dev) as f:
+ for line in f:
+ numvfs = line.rstrip('\n')
+ if numvfs:
+ return_status = 0
+ except IOError:
+ sys.stderr.write("IOError:No sriov_numvfs config file")
+ sys.exit(return_status)
+
+
+def get_rabbitmq_ports():
+ "Get RabbitMQ ports"
+
+ rabbitmq_ports = set()
+
+ try:
+ transport_url = oslo_messaging.TransportURL.parse(cfg.CONF)
+ for host in transport_url.hosts:
+ rabbitmq_ports.add(host.port)
+ except Exception as ex:
+ message = getattr(ex, "message", str(ex))
+ sys.stderr.write("Health probe caught exception reading "
+ "RabbitMQ ports: %s" % message)
+ sys.exit(0) # return success
+
+ return rabbitmq_ports
+
+
+def tcp_socket_state_check(agentq):
+ """Check if the tcp socket to rabbitmq is in Established state"""
+ rabbit_sock_count = 0
+ parentId = 0
+ if agentq == "l3_agent":
+ proc = "neutron-l3-agen"
+ elif agentq == "dhcp_agent":
+ proc = "neutron-dhcp-ag"
+ elif agentq == "q-agent-notifier-tunnel-update":
+ proc = "neutron-openvsw"
+ else:
+ proc = "neutron-metadat"
+
+ rabbitmq_ports = get_rabbitmq_ports()
+
+ for p in psutil.process_iter():
+ try:
+ with p.oneshot():
+ if proc in " ".join(p.cmdline()):
+ if parentId == 0:
+ parentId = p.pid
+ else:
+ if p.ppid() == parentId:
+ continue
+ pcon = p.connections()
+ for con in pcon:
+ try:
+ port = con.raddr[1]
+ status = con.status
+ except IndexError:
+ continue
+ if port in rabbitmq_ports and\
+ status == tcp_established:
+ rabbit_sock_count = rabbit_sock_count + 1
+ except psutil.Error:
+ continue
+
+ if rabbit_sock_count == 0:
+ sys.stderr.write("RabbitMQ sockets not Established")
+ # Do not kill the pod if RabbitMQ is not reachable/down
+ if not cfg.CONF.liveness_probe:
+ sys.exit(1)
+
+
+class UnixDomainHTTPConnection(httplib.HTTPConnection):
+ """Connection class for HTTP over UNIX domain socket."""
+
+ def __init__(self, host, port=None, strict=None, timeout=None,
+ proxy_info=None):
+ httplib.HTTPConnection.__init__(self, host, port, strict)
+ self.timeout = timeout
+ self.socket_path = cfg.CONF.metadata_proxy_socket
+
+ def connect(self):
+ self.sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ if self.timeout:
+ self.sock.settimeout(self.timeout)
+ self.sock.connect(self.socket_path)
+
+
+def test_socket_liveness():
+ """Test if agent can respond to message over the socket"""
+ cfg.CONF.register_cli_opt(cfg.BoolOpt('liveness-probe', default=False,
+ required=False))
+ cfg.CONF.register_cli_opt(cfg.BoolOpt('use-fqdn', default=False,
+ required=False))
+ cfg.CONF(sys.argv[1:])
+
+ agentq = "metadata_agent"
+ tcp_socket_state_check(agentq)
+
+ try:
+ metadata_proxy_socket = cfg.CONF.metadata_proxy_socket
+ except cfg.NoSuchOptError:
+ cfg.CONF.register_opt(cfg.StrOpt(
+ 'metadata_proxy_socket',
+ default='/var/lib/neutron/openstack-helm/metadata_proxy'))
+
+ headers = {'X-Forwarded-For': '169.254.169.254',
+ 'X-Neutron-Router-ID': 'pod-health-probe-check-ignore-errors'}
+
+ h = httplib2.Http(timeout=30)
+
+ try:
+ resp, content = h.request(
+ 'http://169.254.169.254',
+ method='GET',
+ headers=headers,
+ connection_type=UnixDomainHTTPConnection)
+ except socket.error as se:
+ msg = "Socket error: Health probe failed to connect to " \
+ "Neutron Metadata agent: "
+ if se.strerror:
+ sys.stderr.write(msg + se.strerror)
+ elif getattr(se, "message", False):
+ sys.stderr.write(msg + se.message)
+ sys.exit(1) # return failure
+ except Exception as ex:
+ message = getattr(ex, "message", str(ex))
+ sys.stderr.write("Health probe caught exception sending message to "
+ "Neutron Metadata agent: %s" % message)
+ sys.exit(0) # return success
+
+ if resp.status >= 500: # Probe expects HTTP error code 404
+ msg = "Health probe failed: Neutron Metadata agent failed to" \
+ " process request: "
+ sys.stderr.write(msg + str(resp.__dict__))
+ sys.exit(1) # return failure
+
+
+def test_rpc_liveness():
+ """Test if agent can consume message from queue"""
+ oslo_messaging.set_transport_defaults(control_exchange='neutron')
+
+ rabbit_group = cfg.OptGroup(name='oslo_messaging_rabbit',
+ title='RabbitMQ options')
+ cfg.CONF.register_group(rabbit_group)
+ cfg.CONF.register_cli_opt(cfg.StrOpt('agent-queue-name'))
+ cfg.CONF.register_cli_opt(cfg.BoolOpt('liveness-probe', default=False,
+ required=False))
+ cfg.CONF.register_cli_opt(cfg.BoolOpt('use-fqdn', default=False,
+ required=False))
+
+ cfg.CONF(sys.argv[1:])
+
+ try:
+ transport = oslo_messaging.get_transport(cfg.CONF)
+ except Exception as ex:
+ message = getattr(ex, "message", str(ex))
+ sys.stderr.write("Message bus driver load error: %s" % message)
+ sys.exit(0) # return success
+
+ if not cfg.CONF.transport_url or \
+ not cfg.CONF.agent_queue_name:
+ sys.stderr.write("Both message bus URL and agent queue name are "
+ "required for Health probe to work")
+ sys.exit(0) # return success
+
+ try:
+ cfg.CONF.set_override('rabbit_max_retries', 2,
+ group=rabbit_group) # 3 attempts
+ except cfg.NoSuchOptError as ex:
+ cfg.CONF.register_opt(cfg.IntOpt('rabbit_max_retries', default=2),
+ group=rabbit_group)
+
+ agentq = cfg.CONF.agent_queue_name
+ tcp_socket_state_check(agentq)
+
+ check_agent_status(transport)
+
+def check_pid_running(pid):
+ if psutil.pid_exists(int(pid)):
+ return True
+ else:
+ return False
+
+if __name__ == "__main__":
+
+ if "liveness-probe" in ','.join(sys.argv):
+ pidfile = "/tmp/liveness.pid" #nosec
+ else:
+ pidfile = "/tmp/readiness.pid" #nosec
+ data = {}
+ if os.path.isfile(pidfile):
+ with open(pidfile,'r') as f:
+ data = json.load(f)
+ if check_pid_running(data['pid']):
+ if data['exit_count'] > 1:
+ # Third time in, kill the previous process
+ os.kill(int(data['pid']), signal.SIGTERM)
+ else:
+ data['exit_count'] = data['exit_count'] + 1
+ with open(pidfile, 'w') as f:
+ json.dump(data, f)
+ sys.exit(0)
+ data['pid'] = os.getpid()
+ data['exit_count'] = 0
+ with open(pidfile, 'w') as f:
+ json.dump(data, f)
+
+ if "sriov_agent.ini" in ','.join(sys.argv):
+ sriov_readiness_check()
+ elif "metadata_agent.ini" not in ','.join(sys.argv):
+ test_rpc_liveness()
+ else:
+ test_socket_liveness()
+
+ sys.exit(0) # return success
diff --git a/charts/neutron/templates/bin/_neutron-bagpipe-bgp-init.sh.tpl b/charts/neutron/templates/bin/_neutron-bagpipe-bgp-init.sh.tpl
new file mode 100644
index 0000000..e00b257
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-bagpipe-bgp-init.sh.tpl
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+{{- if (has "openvswitch" .Values.network.backend) }}
+chown neutron: /run/openvswitch/db.sock
+{{- end }}
+
+# handle any bridge mappings
+for bmap in `sed 's/[{}"]//g' /tmp/auto_bridge_add | tr "," "\n"`; do
+ bridge=${bmap%:*}
+ iface=${bmap#*:}
+{{- if (has "openvswitch" .Values.network.backend) }}
+ ovs-vsctl --no-wait --may-exist add-br $bridge
+ if [ -n "$iface" -a "$iface" != "null" ]; then
+ ovs-vsctl --no-wait --may-exist add-port $bridge $iface
+ ip link set dev $iface up
+ fi
+{{- else if (has "linuxbridge" .Values.network.backend) }}
+ set +e; ip link add name $bridge type bridge; set -e
+ ip link set dev $bridge up
+ [ -n "$iface" -a "$iface" != "null" ] && ip link set dev $iface master $bridge
+{{- end }}
+done
diff --git a/charts/neutron/templates/bin/_neutron-bagpipe-bgp.sh.tpl b/charts/neutron/templates/bin/_neutron-bagpipe-bgp.sh.tpl
new file mode 100644
index 0000000..3726dba
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-bagpipe-bgp.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+exec bagpipe-bgp
diff --git a/charts/neutron/templates/bin/_neutron-dhcp-agent-init.sh.tpl b/charts/neutron/templates/bin/_neutron-dhcp-agent-init.sh.tpl
new file mode 100644
index 0000000..3df3315
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-dhcp-agent-init.sh.tpl
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+mkdir -p /tmp/pod-shared
+tee > /tmp/pod-shared/neutron-agent.ini << EOF
+[DEFAULT]
+host = $(hostname --fqdn)
+EOF
+{{- end }}
diff --git a/charts/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl
new file mode 100644
index 0000000..0f73e5a
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-dhcp-agent.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+exec neutron-dhcp-agent \
+ --config-file /etc/neutron/neutron.conf \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+ --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+{{- if ( has "openvswitch" .Values.network.backend ) }}
+ --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini \
+{{- end }}
+ --config-file /etc/neutron/dhcp_agent.ini
diff --git a/charts/neutron/templates/bin/_neutron-ironic-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-ironic-agent.sh.tpl
new file mode 100644
index 0000000..0484c7d
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-ironic-agent.sh.tpl
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ exec ironic-neutron-agent \
+ --config-file /etc/neutron/neutron.conf \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+ --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/neutron/templates/bin/_neutron-l2gw-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-l2gw-agent.sh.tpl
new file mode 100644
index 0000000..bbf7ac6
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-l2gw-agent.sh.tpl
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+exec neutron-l2gateway-agent \
+ --config-file=/etc/neutron/neutron.conf \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+ --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+ --config-file=/etc/neutron/l2gw_agent.ini
diff --git a/charts/neutron/templates/bin/_neutron-l3-agent-init.sh.tpl b/charts/neutron/templates/bin/_neutron-l3-agent-init.sh.tpl
new file mode 100644
index 0000000..b9b93b2
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-l3-agent-init.sh.tpl
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+mkdir -p /tmp/pod-shared
+tee > /tmp/pod-shared/neutron-agent.ini << EOF
+[DEFAULT]
+host = $(hostname --fqdn)
+EOF
+{{- end }}
diff --git a/charts/neutron/templates/bin/_neutron-l3-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-l3-agent.sh.tpl
new file mode 100644
index 0000000..2b64255
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-l3-agent.sh.tpl
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+
+exec neutron-l3-agent \
+ --config-file /etc/neutron/neutron.conf \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+ --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+ --config-file /etc/neutron/l3_agent.ini
diff --git a/charts/neutron/templates/bin/_neutron-linuxbridge-agent-init-modules.sh.tpl b/charts/neutron/templates/bin/_neutron-linuxbridge-agent-init-modules.sh.tpl
new file mode 100644
index 0000000..2ef5970
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-linuxbridge-agent-init-modules.sh.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+chroot /mnt/host-rootfs modprobe bridge
+chroot /mnt/host-rootfs modprobe ip6_tables
+chroot /mnt/host-rootfs modprobe ebtables
diff --git a/charts/neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl b/charts/neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl
new file mode 100644
index 0000000..ed95189
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-linuxbridge-agent-init.sh.tpl
@@ -0,0 +1,66 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+# configure all bridge mappings defined in config
+# /tmp/auto_bridge_add is one line json file: {"br-ex1":"eth1","br-ex2":"eth2"}
+for bmap in `sed 's/[{}"]//g' /tmp/auto_bridge_add | tr "," "\n"`
+do
+ bridge=${bmap%:*}
+ iface=${bmap#*:}
+ # adding existing bridge would break out the script when -e is set
+ set +e
+ ip link add name $bridge type bridge
+ set -e
+ ip link set dev $bridge up
+ if [ -n "$iface" ] && [ "$iface" != "null" ]
+ then
+ ip link set dev $iface master $bridge
+ fi
+done
+
+tunnel_interface="{{- .Values.network.interface.tunnel -}}"
+if [ -z "${tunnel_interface}" ] ; then
+ # search for interface with tunnel network routing
+ tunnel_network_cidr="{{- .Values.network.interface.tunnel_network_cidr -}}"
+ if [ -z "${tunnel_network_cidr}" ] ; then
+ tunnel_network_cidr="0/0"
+ fi
+ # If there is not tunnel network gateway, exit
+ tunnel_interface=$(ip -4 route list ${tunnel_network_cidr} | awk -F 'dev' '{ print $2; exit }' \
+ | awk '{ print $1 }') || exit 1
+fi
+
+# determine local-ip dynamically based on interface provided but only if tunnel_types is not null
+LOCAL_IP=$(ip a s $tunnel_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}')
+if [ -z "${LOCAL_IP}" ] ; then
+ echo "Var LOCAL_IP is empty"
+ exit 1
+fi
+
+tee > /tmp/pod-shared/ml2-local-ip.ini << EOF
+[vxlan]
+local_ip = "${LOCAL_IP}"
+EOF
+
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+mkdir -p /tmp/pod-shared
+tee > /tmp/pod-shared/neutron-agent.ini << EOF
+[DEFAULT]
+host = $(hostname --fqdn)
+EOF
+{{- end }}
diff --git a/charts/neutron/templates/bin/_neutron-linuxbridge-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-linuxbridge-agent.sh.tpl
new file mode 100644
index 0000000..8948cb9
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-linuxbridge-agent.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec neutron-linuxbridge-agent \
+ --config-file /etc/neutron/neutron.conf \
+ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
+ --config-file /tmp/pod-shared/ml2-local-ip.ini \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+ --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+ --config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini
diff --git a/charts/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl b/charts/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl
new file mode 100644
index 0000000..5b6ce43
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-metadata-agent-init.sh.tpl
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+chown ${NEUTRON_USER_UID} /var/lib/neutron/openstack-helm
+
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+mkdir -p /tmp/pod-shared
+tee > /tmp/pod-shared/neutron-agent.ini << EOF
+[DEFAULT]
+host = $(hostname --fqdn)
+EOF
+{{- end }}
diff --git a/charts/neutron/templates/bin/_neutron-metadata-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-metadata-agent.sh.tpl
new file mode 100644
index 0000000..f93d169
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-metadata-agent.sh.tpl
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+exec neutron-metadata-agent \
+ --config-file /etc/neutron/neutron.conf \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+ --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+ --config-file /etc/neutron/metadata_agent.ini
+
diff --git a/charts/neutron/templates/bin/_neutron-netns-cleanup-cron.py.tpl b/charts/neutron/templates/bin/_neutron-netns-cleanup-cron.py.tpl
new file mode 100644
index 0000000..f4913ed
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-netns-cleanup-cron.py.tpl
@@ -0,0 +1,157 @@
+#!/usr/bin/env python
+
+import sys
+import os
+import time
+import socket
+from neutron.common import config
+from oslo_config import cfg
+from oslo_concurrency import processutils
+from neutron.agent.linux import dhcp
+from neutron.agent.l3 import namespaces
+from neutron.agent.l3 import dvr_snat_ns
+from neutron.agent.l3 import dvr_fip_ns
+from neutron.cmd.netns_cleanup import setup_conf
+from neutron.cmd.netns_cleanup import unplug_device
+from neutron.cmd.netns_cleanup import eligible_for_deletion
+from neutron.conf.agent import common as agent_config
+from neutron.agent.linux import ip_lib
+from keystoneauth1.identity import v3
+from keystoneauth1 import session
+from neutronclient.neutron import client as neutron_client
+NS_PREFIXES = {'l3': [namespaces.NS_PREFIX, dvr_snat_ns.SNAT_NS_PREFIX,
+ dvr_fip_ns.FIP_NS_PREFIX]}
+DHCP_NS_PREFIX = dhcp.NS_PREFIX
+
+def get_neutron_creds():
+ opts = {'auth_url': os.getenv('OS_AUTH_URL', 'https://keystone-api.openstack.svc.cluster.local:5000/v3'),
+ 'password': os.getenv('OS_PASSWORD','nopassword'),
+ 'project_domain_name': os.getenv('OS_PROJECT_DOMAIN_NAME', 'default'),
+ 'project_name': os.getenv('OS_PROJECT_NAME', 'admin'),
+ 'user_domain_name': os.getenv('OS_USER_DOMAIN_NAME', 'default'),
+ 'username': os.getenv('OS_USERNAME', 'admin'),
+ 'cafile' : os.getenv('OS_CACERT','/var/lib/neutron/openstack-helm/openstack-helm.crt'),
+ 'insecure' : os.getenv('NEUTRON_CLEANUP_INSECURE', 'true'),
+ 'debug': os.getenv('NEUTRON_CLEANUP_DEBUG', 'true'),
+ 'wait': os.getenv('NEUTRON_CLEANUP_TIMEOUT', '600')}
+ return opts
+
+def ldestroy_namespace(conf, namespace):
+ try:
+ ip = ip_lib.IPWrapper(namespace=namespace)
+ if ip.netns.exists(namespace):
+ cmd = ['ip', 'netns', 'pids', namespace]
+ output = processutils.execute(*cmd, run_as_root=True, root_helper=conf.AGENT.root_helper)
+ for pid in output[0].splitlines():
+ utils.kill_process(pid, signal.SIGTERM, run_as_root=True, root_helper=conf.AGENT.root_helper)
+ for device in ip.get_devices():
+ unplug_device(device)
+ ip.garbage_collect_namespace()
+ except Exception as e:
+ sys.stderr.write("Error - unable to destroy namespace: {} : {}\n".format(namespace, e))
+
+def net_list(neutron_get):
+ hosts = dict()
+ net_list = neutron_get.list_networks()
+ if net_list['networks']:
+ for item in net_list['networks']:
+ net_id=item['id']
+ dhcp_agents = neutron_get.list_dhcp_agent_hosting_networks(net_id)['agents']
+ agents = list()
+ if dhcp_agents:
+ for agent in dhcp_agents:
+ agents.append(agent['host'].split('.')[0])
+ hosts[net_id] = agents
+ return hosts
+
+def sort_ns(all_ns, dhcp_prefix):
+ dhcp_ns = list()
+ not_dhcp_ns = list()
+ for ns in all_ns:
+ if ns[:len(dhcp_prefix)] == dhcp_prefix:
+ dhcp_ns.append(ns)
+ else:
+ not_dhcp_ns.append(ns)
+ return dhcp_ns, not_dhcp_ns
+
+def del_bad_dhcp(dhcp_ns, dhcp_hosts, conf, dhcp_prefix, debug):
+ for ns in dhcp_ns:
+ cut_ns_name = ns[len(dhcp_prefix):]
+ if cut_ns_name in dhcp_hosts:
+ if hostname not in dhcp_hosts[cut_ns_name]:
+ ldestroy_namespace(conf, ns)
+ if debug:
+ sys.stderr.write("DEBUG: {} host {} deleted {} because host wrong\n"
+ .format(sys.argv[0], hostname, ns))
+ else:
+ if debug:
+ sys.stderr.write("DEBUG: {} host {} {} looks ok\n"
+ .format(sys.argv[0], hostname, ns))
+ else:
+ ldestroy_namespace(conf, ns)
+ if debug:
+ sys.stderr.write("DEBUG: {} host {} deleted {} because no related network found\n"
+ .format(sys.argv[0], hostname, ns))
+
+def del_bad_not_dhcp(not_dhcp_ns, conf, debug):
+ for ns in not_dhcp_ns:
+ if eligible_for_deletion(conf, ns, conf.force):
+ ldestroy_namespace(conf, ns)
+ if debug:
+ sys.stderr.write("DEBUG: {} host {} deleted {} because no IP addr\n"
+ .format(sys.argv[0], hostname, ns))
+
+if __name__ == "__main__":
+
+ conf = setup_conf()
+ cfg.CONF(sys.argv[1:])
+ opts = get_neutron_creds()
+ debug = False
+ verify= False
+ if opts.pop('debug') in ('true', '1', 'True'):
+ debug = True
+ insecure = opts.pop('insecure')
+ cafile = opts.pop('cafile')
+ if insecure in ('false', '0', 'False'):
+ verify = cafile
+ timeout = int(opts.pop('wait'))
+ conf()
+ config.setup_logging()
+ agent_config.setup_privsep()
+ auth = v3.Password(**opts)
+ hostname = socket.gethostname().split('.')[0]
+
+ while True:
+ try:
+ all_ns = ip_lib.list_network_namespaces()
+ sess = session.Session(auth=auth, verify=verify)
+ neutron_get = neutron_client.Client('2.0', session=sess)
+ dhcp_hosts = net_list(neutron_get)
+ if all_ns:
+ dhcp_ns, not_dhcp_ns = sort_ns(all_ns, DHCP_NS_PREFIX)
+ if dhcp_ns:
+ del_bad_dhcp(dhcp_ns, dhcp_hosts, conf, DHCP_NS_PREFIX, debug)
+ else:
+ if debug:
+ sys.stderr.write("DEBUG: {} host {} no dhcp ns found\n"
+ .format(sys.argv[0], hostname))
+ if not_dhcp_ns:
+ del_bad_not_dhcp(not_dhcp_ns, conf, debug)
+ else:
+ if debug:
+ sys.stderr.write("DEBUG: {} host {} no not_dhcp ns found\n"
+ .format(sys.argv[0], hostname))
+ else:
+ if debug:
+ sys.stderr.write("DEBUG: {} host {} no ns found at all\n"
+ .format(sys.argv[0], hostname))
+ except Exception as ex:
+ sys.stderr.write(
+ "Cleaning network namespaces caught an exception %s"
+ % str(ex))
+ time.sleep(30)
+ except:
+ sys.stderr.write(
+ "Cleaning network namespaces caught an exception")
+ time.sleep(30)
+ time.sleep(timeout)
\ No newline at end of file
diff --git a/charts/neutron/templates/bin/_neutron-openvswitch-agent-init-modules.sh.tpl b/charts/neutron/templates/bin/_neutron-openvswitch-agent-init-modules.sh.tpl
new file mode 100644
index 0000000..a243867
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-openvswitch-agent-init-modules.sh.tpl
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+chroot /mnt/host-rootfs modprobe ip6_tables
+
+{{- if .Values.conf.ovs_dpdk.enabled }}
+chroot /mnt/host-rootfs modprobe {{ .Values.conf.ovs_dpdk.driver | quote }}
+{{- end }}
diff --git a/charts/neutron/templates/bin/_neutron-openvswitch-agent-init.sh.tpl b/charts/neutron/templates/bin/_neutron-openvswitch-agent-init.sh.tpl
new file mode 100644
index 0000000..3283e09
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-openvswitch-agent-init.sh.tpl
@@ -0,0 +1,496 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+OVS_SOCKET=/run/openvswitch/db.sock
+chown neutron: ${OVS_SOCKET}
+
+# This enables the usage of 'ovs-appctl' from neutron pod.
+OVS_PID=$(cat /run/openvswitch/ovs-vswitchd.pid)
+OVS_CTL=/run/openvswitch/ovs-vswitchd.${OVS_PID}.ctl
+chown neutron: ${OVS_CTL}
+
+function get_dpdk_config_value {
+ values=$1
+ filter=$2
+ value=$(echo ${values} | jq -r ${filter})
+ if [[ "${value}" == "null" ]]; then
+ echo ""
+ else
+ echo "${value}"
+ fi
+}
+
+
+DPDK_CONFIG_FILE=/tmp/dpdk.conf
+DPDK_CONFIG=""
+DPDK_ENABLED=false
+if [ -f ${DPDK_CONFIG_FILE} ]; then
+ DPDK_CONFIG=$(cat ${DPDK_CONFIG_FILE})
+ if [[ $(get_dpdk_config_value ${DPDK_CONFIG} '.enabled') == "true" ]]; then
+ DPDK_ENABLED=true
+ fi
+fi
+
+function bind_nic {
+ echo $2 > /sys/bus/pci/devices/$1/driver_override
+ echo $1 > /sys/bus/pci/drivers/$2/bind
+}
+
+function unbind_nic {
+ echo $1 > /sys/bus/pci/drivers/$2/unbind
+ echo > /sys/bus/pci/devices/$1/driver_override
+}
+
+function get_name_by_pci_id {
+ path=$(find /sys/bus/pci/devices/$1/ -name net)
+ if [ -n "${path}" ] ; then
+ echo $(ls -1 $path/)
+ fi
+}
+
+function get_ip_address_from_interface {
+ local interface=$1
+ local ip=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' '{print $1}')
+ if [ -z "${ip}" ] ; then
+ exit 1
+ fi
+ echo ${ip}
+}
+
+function get_ip_prefix_from_interface {
+ local interface=$1
+ local prefix=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' '{print $2}')
+ if [ -z "${prefix}" ] ; then
+ exit 1
+ fi
+ echo ${prefix}
+}
+
+function migrate_ip {
+ pci_id=$1
+ bridge_name=$2
+
+ local src_nic=$(get_name_by_pci_id ${pci_id})
+ if [ -n "${src_nic}" ] ; then
+ bridge_exists=$(ip a s "${bridge_name}" | grep "${bridge_name}" | cut -f2 -d':' 2> /dev/null)
+ if [ -z "${bridge_exists}" ] ; then
+ echo "Bridge "${bridge_name}" does not exist. Creating it on demand."
+ init_ovs_dpdk_bridge "${bridge_name}"
+ fi
+
+ migrate_ip_from_nic ${src_nic} ${bridge_name}
+ fi
+}
+
+function migrate_ip_from_nic {
+ src_nic=$1
+ bridge_name=$2
+
+ # Enabling explicit error handling: We must avoid to lose the IP
+ # address in the migration process. Hence, on every error, we
+ # attempt to assign the IP back to the original NIC and exit.
+ set +e
+
+ ip=$(get_ip_address_from_interface ${src_nic})
+ prefix=$(get_ip_prefix_from_interface ${src_nic})
+
+ bridge_ip=$(get_ip_address_from_interface "${bridge_name}")
+ bridge_prefix=$(get_ip_prefix_from_interface "${bridge_name}")
+
+ ip link set ${bridge_name} up
+
+ if [[ -n "${ip}" && -n "${prefix}" ]]; then
+ ip addr flush dev ${src_nic}
+ if [ $? -ne 0 ] ; then
+ ip addr add ${ip}/${prefix} dev ${src_nic}
+ echo "Error while flushing IP from ${src_nic}."
+ exit 1
+ fi
+
+ ip addr add ${ip}/${prefix} dev "${bridge_name}"
+ if [ $? -ne 0 ] ; then
+ echo "Error assigning IP to bridge "${bridge_name}"."
+ ip addr add ${ip}/${prefix} dev ${src_nic}
+ exit 1
+ fi
+ elif [[ -n "${bridge_ip}" && -n "${bridge_prefix}" ]]; then
+ echo "Bridge '${bridge_name}' already has IP assigned. Keeping the same:: IP:[${bridge_ip}]; Prefix:[${bridge_prefix}]..."
+ elif [[ -z "${bridge_ip}" && -z "${ip}" ]]; then
+ echo "Interface and bridge have no ips configured. Leaving as is."
+ else
+ echo "Interface ${name} has invalid IP address. IP:[${ip}]; Prefix:[${prefix}]..."
+ exit 1
+ fi
+
+ set -e
+}
+
+function get_pf_or_vf_pci {
+ dpdk_pci_id=${1}
+ vf_index=${2}
+
+ if [ -n "$vf_index" ]
+ then
+ iface=$(get_name_by_pci_id "${dpdk_pci_id}")
+ sysfs_numvfs_path="/sys/class/net/${iface}/device/sriov_numvfs"
+ if [[ -f /sys/class/net/${iface}/device/sriov_numvfs &&
+ "$(cat /sys/class/net/${iface}/device/sriov_numvfs)" -ne "0" &&
+ -e /sys/class/net/${iface}/device/virtfn${vf_index} ]]
+ then
+ dpdk_pci_id=$(ls -la /sys/class/net/${iface}/device/virtfn${vf_index})
+ dpdk_pci_id=${dpdk_pci_id#*"../"}
+ else
+ echo "Error fetching the VF PCI for PF: ["${iface}", "${dpdk_pci_id}"] and VF-Index: ${vf_index}."
+ exit 1
+ fi
+ fi
+}
+
+function bind_dpdk_nic {
+ target_driver=${1}
+ pci_id=${2}
+
+ current_driver="$(get_driver_by_address "${pci_id}" )"
+ if [ "$current_driver" != "$target_driver" ]; then
+ if [ "$current_driver" != "" ]; then
+ unbind_nic "${pci_id}" ${current_driver}
+ fi
+ bind_nic "${pci_id}" ${target_driver}
+ fi
+}
+
+function process_dpdk_nics {
+ target_driver=$(get_dpdk_config_value ${DPDK_CONFIG} '.driver')
+ # loop over all nics
+ echo $DPDK_CONFIG | jq -r -c '.nics[]' | \
+ while IFS= read -r nic; do
+ local port_name=$(get_dpdk_config_value ${nic} '.name')
+ local pci_id=$(get_dpdk_config_value ${nic} '.pci_id')
+ local bridge=$(get_dpdk_config_value ${nic} '.bridge')
+ local vf_index=$(get_dpdk_config_value ${nic} '.vf_index')
+
+ if [[ $(get_dpdk_config_value ${nic} '.migrate_ip') == true ]] ; then
+ migrate_ip "${pci_id}" "${bridge}"
+ fi
+
+ iface=$(get_name_by_pci_id "${pci_id}")
+
+ if [ -n "${iface}" ]; then
+ ip link set ${iface} promisc on
+ if [ -n "${vf_index}" ]; then
+ vf_string="vf ${vf_index}"
+ ip link set ${iface} ${vf_string} trust on
+
+ # NOTE: To ensure proper toggle of spoofchk,
+ # turn it on then off.
+ ip link set ${iface} ${vf_string} spoofchk on
+ ip link set ${iface} ${vf_string} spoofchk off
+ fi
+ fi
+
+ # Fetch the PCI to be bound to DPDK driver.
+ # In case VF Index is configured then PCI of that particular VF
+ # is bound to DPDK, otherwise PF PCI is bound to DPDK.
+ get_pf_or_vf_pci "${pci_id}" "${vf_index}"
+
+ bind_dpdk_nic ${target_driver} "${dpdk_pci_id}"
+
+ dpdk_options=""
+ ofport_request=$(get_dpdk_config_value ${nic} '.ofport_request')
+ if [ -n "${ofport_request}" ]; then
+ dpdk_options+='ofport_request=${ofport_request} '
+ fi
+ n_rxq=$(get_dpdk_config_value ${nic} '.n_rxq')
+ if [ -n "${n_rxq}" ]; then
+ dpdk_options+='options:n_rxq=${n_rxq} '
+ fi
+ n_txq=$(get_dpdk_config_value ${nic} '.n_txq')
+ if [ -n "${n_txq}" ]; then
+ dpdk_options+='options:n_txq=${n_txq} '
+ fi
+ pmd_rxq_affinity=$(get_dpdk_config_value ${nic} '.pmd_rxq_affinity')
+ if [ -n "${pmd_rxq_affinity}" ]; then
+ dpdk_options+='other_config:pmd-rxq-affinity=${pmd_rxq_affinity} '
+ fi
+ mtu=$(get_dpdk_config_value ${nic} '.mtu')
+ if [ -n "${mtu}" ]; then
+ dpdk_options+='mtu_request=${mtu} '
+ fi
+ n_rxq_size=$(get_dpdk_config_value ${nic} '.n_rxq_size')
+ if [ -n "${n_rxq_size}" ]; then
+ dpdk_options+='options:n_rxq_desc=${n_rxq_size} '
+ fi
+ n_txq_size=$(get_dpdk_config_value ${nic} '.n_txq_size')
+ if [ -n "${n_txq_size}" ]; then
+ dpdk_options+='options:n_txq_desc=${n_txq_size} '
+ fi
+ vhost_iommu_support=$(get_dpdk_config_value ${nic} '.vhost-iommu-support')
+ if [ -n "${vhost_iommu_support}" ]; then
+ dpdk_options+='options:vhost-iommu-support=${vhost_iommu_support} '
+ fi
+
+ ovs-vsctl --db=unix:${OVS_SOCKET} --may-exist add-port ${bridge} ${port_name} \
+ -- set Interface ${port_name} type=dpdk options:dpdk-devargs=${pci_id} ${dpdk_options}
+
+ done
+}
+
+function process_dpdk_bonds {
+ target_driver=$(get_dpdk_config_value ${DPDK_CONFIG} '.driver')
+ # loop over all bonds
+ echo $DPDK_CONFIG | jq -r -c '.bonds[]' > /tmp/bonds_array
+ while IFS= read -r bond; do
+ local bond_name=$(get_dpdk_config_value ${bond} '.name')
+ local dpdk_bridge=$(get_dpdk_config_value ${bond} '.bridge')
+ local migrate_ip=$(get_dpdk_config_value ${bond} '.migrate_ip')
+ local mtu=$(get_dpdk_config_value ${bond} '.mtu')
+ local n_rxq=$(get_dpdk_config_value ${bond} '.n_rxq')
+ local n_txq=$(get_dpdk_config_value ${bond} '.n_txq')
+ local ofport_request=$(get_dpdk_config_value ${bond} '.ofport_request')
+ local n_rxq_size=$(get_dpdk_config_value ${bond} '.n_rxq_size')
+ local n_txq_size=$(get_dpdk_config_value ${bond} '.n_txq_size')
+ local vhost_iommu_support=$(get_dpdk_config_value ${bond} '.vhost-iommu-support')
+ local ovs_options=$(get_dpdk_config_value ${bond} '.ovs_options')
+
+ local nic_name_str=""
+ local dev_args_str=""
+ local ip_migrated=false
+
+ echo $bond | jq -r -c '.nics[]' > /tmp/nics_array
+ while IFS= read -r nic; do
+ local pci_id=$(get_dpdk_config_value ${nic} '.pci_id')
+ local nic_name=$(get_dpdk_config_value ${nic} '.name')
+ local pmd_rxq_affinity=$(get_dpdk_config_value ${nic} '.pmd_rxq_affinity')
+ local vf_index=$(get_dpdk_config_value ${nic} '.vf_index')
+ local vf_string=""
+
+ if [[ ${migrate_ip} = "true" && ${ip_migrated} = "false" ]]; then
+ migrate_ip "${pci_id}" "${dpdk_bridge}"
+ ip_migrated=true
+ fi
+
+ iface=$(get_name_by_pci_id "${pci_id}")
+
+ if [ -n "${iface}" ]; then
+ ip link set ${iface} promisc on
+ if [ -n "${vf_index}" ]; then
+ vf_string="vf ${vf_index}"
+ ip link set ${iface} ${vf_string} trust on
+
+ # NOTE: To ensure proper toggle of spoofchk,
+ # turn it on then off.
+ ip link set ${iface} ${vf_string} spoofchk on
+ ip link set ${iface} ${vf_string} spoofchk off
+ fi
+ fi
+
+ # Fetch the PCI to be bound to DPDK driver.
+ # In case VF Index is configured then PCI of that particular VF
+ # is bound to DPDK, otherwise PF PCI is bound to DPDK.
+ get_pf_or_vf_pci "${pci_id}" "${vf_index}"
+
+ bind_dpdk_nic ${target_driver} "${dpdk_pci_id}"
+
+ nic_name_str+=" "${nic_name}""
+ dev_args_str+=" -- set Interface "${nic_name}" type=dpdk options:dpdk-devargs=""${dpdk_pci_id}"
+
+ if [[ -n ${mtu} ]]; then
+ dev_args_str+=" -- set Interface "${nic_name}" mtu_request=${mtu}"
+ fi
+
+ if [[ -n ${n_rxq} ]]; then
+ dev_args_str+=" -- set Interface "${nic_name}" options:n_rxq=${n_rxq}"
+ fi
+
+ if [[ -n ${n_txq} ]]; then
+ dev_args_str+=" -- set Interface "${nic_name}" options:n_txq=${n_txq}"
+ fi
+
+ if [[ -n ${ofport_request} ]]; then
+ dev_args_str+=" -- set Interface "${nic_name}" ofport_request=${ofport_request}"
+ fi
+
+ if [[ -n ${pmd_rxq_affinity} ]]; then
+ dev_args_str+=" -- set Interface "${nic_name}" other_config:pmd-rxq-affinity=${pmd_rxq_affinity}"
+ fi
+
+ if [[ -n ${n_rxq_size} ]]; then
+ dev_args_str+=" -- set Interface "${nic_name}" options:n_rxq_desc=${n_rxq_size}"
+ fi
+
+ if [[ -n ${n_txq_size} ]]; then
+ dev_args_str+=" -- set Interface "${nic_name}" options:n_txq_desc=${n_txq_size}"
+ fi
+
+ if [[ -n ${vhost_iommu_support} ]]; then
+ dev_args_str+=" -- set Interface "${nic_name}" options:vhost-iommu-support=${vhost_iommu_support}"
+ fi
+ done < /tmp/nics_array
+
+ if [ "${UPDATE_DPDK_BOND_CONFIG}" == "true" ]; then
+ echo -e "NOTE: UPDATE_DPDK_BOND_CONFIG is set to true.\
+ \nThis might cause disruptions in ovs traffic.\
+ \nTo avoid this disruption set UPDATE_DPDK_BOND_CONFIG to false."
+ ovs-vsctl --db=unix:${OVS_SOCKET} set Bridge "${dpdk_bridge}" other_config:update_config=true
+ ovs_update_config=true
+ else
+ ovs_update_config=$(ovs-vsctl --columns=other_config --no-heading -d json list bridge "${dpdk_bridge}" \
+ | jq -r '.[1][] as $list | if $list[0] == "update_config" then $list[1] else empty end')
+ fi
+
+
+ if [ "${ovs_update_config}" == "true" ] || [ "${ovs_update_config}" == "" ];
+ then
+ ovs-vsctl --db=unix:${OVS_SOCKET} --if-exists del-port "${bond_name}"
+ ovs-vsctl --db=unix:${OVS_SOCKET} set Bridge "${dpdk_bridge}" other_config:update_config=false
+ ovs-vsctl --db=unix:${OVS_SOCKET} --may-exist add-bond "${dpdk_bridge}" "${bond_name}" \
+ ${nic_name_str} \
+ "${ovs_options}" ${dev_args_str}
+ fi
+
+ done < "/tmp/bonds_array"
+}
+
+function set_dpdk_module_log_level {
+ # loop over all target modules
+ if [ -n "$(get_dpdk_config_value ${DPDK_CONFIG} '.modules')" ]; then
+ echo $DPDK_CONFIG | jq -r -c '.modules[]' > /tmp/modules_array
+ while IFS= read -r module; do
+ local mod_name=$(get_dpdk_config_value ${module} '.name')
+ local mod_level=$(get_dpdk_config_value ${module} '.log_level')
+
+ ovs-appctl -t ${OVS_CTL} vlog/set ${mod_name}:${mod_level}
+ ovs-appctl -t ${OVS_CTL} vlog/list|grep ${mod_name}
+ done < /tmp/modules_array
+ fi
+}
+
+function get_driver_by_address {
+ if [[ -e /sys/bus/pci/devices/$1/driver ]]; then
+ echo $(ls /sys/bus/pci/devices/$1/driver -al | awk '{n=split($NF,a,"/"); print a[n]}')
+ fi
+}
+
+function init_ovs_dpdk_bridge {
+ bridge=$1
+ ovs-vsctl --db=unix:${OVS_SOCKET} --may-exist add-br ${bridge} \
+ -- set Bridge ${bridge} datapath_type=netdev
+ ip link set ${bridge} up
+}
+
+# create all additional bridges defined in the DPDK section
+function init_ovs_dpdk_bridges {
+ for br in $(get_dpdk_config_value ${DPDK_CONFIG} '.bridges[].name'); do
+ init_ovs_dpdk_bridge ${br}
+ done
+}
+
+# handle any bridge mappings
+# /tmp/auto_bridge_add is one line json file: {"br-ex1":"eth1","br-ex2":"eth2"}
+for bmap in `sed 's/[{}"]//g' /tmp/auto_bridge_add | tr "," "\n"`
+do
+ bridge=${bmap%:*}
+ iface=${bmap#*:}
+ ovs-vsctl --no-wait --may-exist add-br $bridge
+ if [ -n "$iface" ] && [ "$iface" != "null" ]
+ then
+ ovs-vsctl --no-wait --may-exist add-port $bridge $iface
+ migrate_ip_from_nic $iface $bridge
+ if [[ $(get_dpdk_config_value ${DPDK_CONFIG} '.enabled') != "true" ]]; then
+ ip link set dev $iface up
+ fi
+ fi
+done
+
+tunnel_types="{{- .Values.conf.plugins.openvswitch_agent.agent.tunnel_types -}}"
+if [[ -n "${tunnel_types}" ]] ; then
+ tunnel_interface="{{- .Values.network.interface.tunnel -}}"
+ if [ -z "${tunnel_interface}" ] ; then
+ # search for interface with tunnel network routing
+ tunnel_network_cidr="{{- .Values.network.interface.tunnel_network_cidr -}}"
+ if [ -z "${tunnel_network_cidr}" ] ; then
+ tunnel_network_cidr="0/0"
+ fi
+ # If there is not tunnel network gateway, exit
+ tunnel_interface=$(ip -4 route list ${tunnel_network_cidr} | awk -F 'dev' '{ print $2; exit }' \
+ | awk '{ print $1 }') || exit 1
+ fi
+fi
+
+if [[ "${DPDK_ENABLED}" == "true" ]]; then
+ init_ovs_dpdk_bridges
+ process_dpdk_nics
+ process_dpdk_bonds
+ set_dpdk_module_log_level
+fi
+
+# determine local-ip dynamically based on interface provided but only if tunnel_types is not null
+if [[ -n "${tunnel_types}" ]] ; then
+ LOCAL_IP=$(get_ip_address_from_interface ${tunnel_interface})
+ if [ -z "${LOCAL_IP}" ] ; then
+ echo "Var LOCAL_IP is empty"
+ exit 1
+ fi
+
+tee > /tmp/pod-shared/ml2-local-ip.ini << EOF
+[ovs]
+local_ip = "${LOCAL_IP}"
+EOF
+
+ if [[ "${DPDK_ENABLED}" == "true" ]]; then
+ PREFIX=$(get_ip_prefix_from_interface "${tunnel_interface}")
+
+ # loop over all nics
+ echo $DPDK_CONFIG | jq -r -c '.bridges[]' | \
+ while IFS= read -r br; do
+ bridge_name=$(get_dpdk_config_value ${br} '.name')
+ tunnel_underlay_vlan=$(get_dpdk_config_value ${br} '.tunnel_underlay_vlan')
+
+ if [[ "${bridge_name}" == "${tunnel_interface}" ]]; then
+ # Route the tunnel traffic via the physical bridge
+ if [[ -n "${LOCAL_IP}" && -n "${PREFIX}" ]]; then
+ if [[ -n $(ovs-appctl -t ${OVS_CTL} ovs/route/show | grep "${LOCAL_IP}" | grep -v '^Cached:') ]]; then
+ ovs-appctl -t ${OVS_CTL} ovs/route/del "${LOCAL_IP}"/"${PREFIX}"
+ fi
+ ovs-appctl -t ${OVS_CTL} ovs/route/add "${LOCAL_IP}"/"${PREFIX}" "${tunnel_interface}"
+
+ if [[ -n "${tunnel_underlay_vlan}" ]]; then
+ # If there is not tunnel network gateway, exit
+ IFS=. read -r i1 i2 i3 i4 <<< "${LOCAL_IP}"
+ IFS=. read -r xx m1 m2 m3 m4 <<< $(for a in $(seq 1 32); do if [ $(((a - 1) % 8)) -eq 0 ]; then echo -n .; fi; if [ $a -le ${PREFIX} ]; then echo -n 1; else echo -n 0; fi; done)
+ tunnel_network_cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & (2#$m1)))" "$((i2 & (2#$m2)))" "$((i3 & (2#$m3)))" "$((i4 & (2#$m4)))") || exit 1
+ # Put a new flow to tag all the tunnel traffic with configured vlan-id
+ if [[ -n $(ovs-ofctl dump-flows "${tunnel_interface}" | grep "nw_dst=${tunnel_network_cidr}") ]]; then
+ ovs-ofctl del-flows "${tunnel_interface}" "cookie=0x9999/-1, table=0, ip,nw_dst=${tunnel_network_cidr}"
+ fi
+ ovs-ofctl add-flow "${tunnel_interface}" "cookie=0x9999, table=0, priority=8, ip,nw_dst=${tunnel_network_cidr}, actions=mod_vlan_vid:${tunnel_underlay_vlan},NORMAL"
+ fi
+ fi
+ break
+ fi
+ done
+ fi
+fi
+
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+mkdir -p /tmp/pod-shared
+tee > /tmp/pod-shared/neutron-agent.ini << EOF
+[DEFAULT]
+host = $(hostname --fqdn)
+EOF
+{{- end }}
diff --git a/charts/neutron/templates/bin/_neutron-openvswitch-agent-readiness.sh.tpl b/charts/neutron/templates/bin/_neutron-openvswitch-agent-readiness.sh.tpl
new file mode 100644
index 0000000..783ec4a
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-openvswitch-agent-readiness.sh.tpl
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -e
+
+OVS_PID=$(cat /run/openvswitch/ovs-vswitchd.pid)
+OVS_CTL=/run/openvswitch/ovs-vswitchd.${OVS_PID}.ctl
+
+ovs-vsctl list-br | grep -q br-int
+
+[ -z "$(/usr/bin/ovs-vsctl show | grep error:)" ]
+
+{{ if .Values.conf.ovs_dpdk.enabled }}
+ {{- if hasKey .Values.conf.ovs_dpdk "nics"}}
+ # Check if port(s) and bridge(s) are configured.
+ {{- range .Values.conf.ovs_dpdk.nics }}
+ ovs-vsctl list-br | grep -q {{ .bridge }}
+ ovs-vsctl list-ports {{ .bridge }} | grep -q {{ .name }}
+ {{- end }}
+ {{- end }}
+
+ {{- if hasKey .Values.conf.ovs_dpdk "bonds"}}
+ # Check if bond(s) and slave(s) are configured.
+ {{- range .Values.conf.ovs_dpdk.bonds }}
+ bond={{ .name }}
+ ovs-appctl -t ${OVS_CTL} bond/list | grep -q ${bond}
+ {{- range .nics }}
+ ovs-appctl -t ${OVS_CTL} bond/show ${bond} | grep -q "slave {{ .name }}"
+ {{- end }}
+ {{- end }}
+ {{- end }}
+{{ end }}
diff --git a/charts/neutron/templates/bin/_neutron-openvswitch-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-openvswitch-agent.sh.tpl
new file mode 100644
index 0000000..5ad8b4d
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-openvswitch-agent.sh.tpl
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec neutron-openvswitch-agent \
+ --config-file /etc/neutron/neutron.conf \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+ --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+{{- if .Values.conf.plugins.openvswitch_agent.agent.tunnel_types }}
+ --config-file /tmp/pod-shared/ml2-local-ip.ini \
+{{- end }}
+{{- if .Values.conf.plugins.taas.taas.enabled }}
+ --config-file /etc/neutron/plugins/ml2/taas.ini \
+{{- end }}
+ --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini \
+ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini
diff --git a/charts/neutron/templates/bin/_neutron-server.sh.tpl b/charts/neutron/templates/bin/_neutron-server.sh.tpl
new file mode 100644
index 0000000..83ca918
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-server.sh.tpl
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ exec neutron-server \
+ --config-file /etc/neutron/neutron.conf \
+{{- if ( has "tungstenfabric" .Values.network.backend ) }}
+ --config-file /etc/neutron/plugins/tungstenfabric/tf_plugin.ini
+{{- else }}
+ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini
+{{- end }}
+{{- if .Values.conf.plugins.taas.taas.enabled }} \
+ --config-file /etc/neutron/taas_plugin.ini
+{{- end }}
+{{- if ( has "sriov" .Values.network.backend ) }} \
+ --config-file /etc/neutron/plugins/ml2/sriov_agent.ini
+{{- end }}
+{{- if .Values.conf.plugins.l2gateway }} \
+ --config-file /etc/neutron/l2gw_plugin.ini
+{{- end }}
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/neutron/templates/bin/_neutron-sriov-agent-init.sh.tpl b/charts/neutron/templates/bin/_neutron-sriov-agent-init.sh.tpl
new file mode 100644
index 0000000..d98cfe8
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-sriov-agent-init.sh.tpl
@@ -0,0 +1,108 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+#NOTE: Please limit "besteffort" to dev env with mixed hardware computes only
+# For prod env, the target nic should be there, if not, script should error out.
+set -ex
+BESTEFFORT=false
+{{- if ( has "besteffort" .Values.conf.sriov_init ) }}
+set +e
+BESTEFFORT=true
+{{- end }}
+
+{{- range $k, $sriov := .Values.network.interface.sriov }}
+if [ "x{{ $sriov.num_vfs }}" != "x" ]; then
+ echo "{{ $sriov.num_vfs }}" > /sys/class/net/{{ $sriov.device }}/device/sriov_numvfs
+else
+ #NOTE(portdirect): Many NICs have difficulty creating more than n-1 over their
+ # claimed limit, by default err on the side of caution and account for this
+ # limitation.
+ TOT_NUM_VFS=$(cat /sys/class/net/{{ $sriov.device }}/device/sriov_totalvfs)
+ if [[ "$TOT_NUM_VFS" -le "0" ]]; then
+ NUM_VFS="$TOT_NUM_VFS"
+ else
+ if [[ "$((TOT_NUM_VFS - 1 ))" -le "1" ]]; then
+ NUM_VFS=1
+ else
+ NUM_VFS="$((TOT_NUM_VFS - 1 ))"
+ fi
+ fi
+ echo "${NUM_VFS}" > /sys/class/net/{{ $sriov.device }}/device/sriov_numvfs
+fi
+
+{{- if hasKey $sriov "qos" -}}
+{{- range $v, $qos := $sriov.qos }}
+echo "{{ $qos.share }}" > /sys/class/net/{{ $sriov.device }}/device/sriov/{{ $qos.vf_num }}/qos/share
+{{- end}}
+echo "1" > /sys/class/net/{{ $sriov.device }}/device/sriov/qos/apply
+{{- end }}
+
+# Set number of queues is best effort in case where VF is already binded,
+# NIC will not allow to set, in such case, a node reboot will allow all
+# VF to set properly.
+{{- if hasKey $sriov "queues_per_vf" }}
+set +e
+{{- range $v, $qvf := $sriov.queues_per_vf }}
+SMOKE=','
+MIRROR=' '
+SKIPLIST={{ $qvf.exclude_vf }}
+SKIPLIST=${SKIPLIST//$SMOKE/$MIRROR}
+
+NUMVF={{ $sriov.num_vfs }}
+for vf in `seq 0 $[$NUMVF - 1]`
+do
+ if ! ( echo ${SKIPLIST[@]} | grep -q -w "$vf" ); then
+ echo "{{ $qvf.num_queues }}" > /sys/class/net/{{ $sriov.device }}/device/sriov/$vf/num_queues
+ fi
+done
+
+{{- end }}
+if ! $BESTEFFORT; then
+ set -e
+fi
+{{- end }}
+
+{{- if $sriov.mtu }}
+ip link set dev {{ $sriov.device }} mtu {{ $sriov.mtu }}
+{{- end }}
+ip link set {{ $sriov.device }} up
+ip link show {{ $sriov.device }}
+
+{{- if $sriov.promisc }}
+promisc_mode="on"
+{{- else }}
+promisc_mode="off"
+{{- end }}
+ip link set {{ $sriov.device }} promisc ${promisc_mode}
+#NOTE(portdirect): get the bus that the port is on
+NIC_BUS=$(lshw -c network -businfo | awk '/{{ $sriov.device }}/ {print $1}')
+#NOTE(portdirect): get first port on the nic
+NIC_FIRST_PORT=$(lshw -c network -businfo | awk "/${NIC_BUS%%.*}/ { print \$2; exit }")
+#NOTE(portdirect): Enable promisc mode on the nic, by setting it for the 1st port
+ethtool --set-priv-flags ${NIC_FIRST_PORT} vf-true-promisc-support ${promisc_mode}
+{{- end }}
+
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+mkdir -p /tmp/pod-shared
+tee > /tmp/pod-shared/neutron-agent.ini << EOF
+[DEFAULT]
+host = $(hostname --fqdn)
+EOF
+{{- end }}
+
+if $BESTEFFORT; then
+ exit 0
+fi
diff --git a/charts/neutron/templates/bin/_neutron-sriov-agent.sh.tpl b/charts/neutron/templates/bin/_neutron-sriov-agent.sh.tpl
new file mode 100644
index 0000000..982c9e7
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-sriov-agent.sh.tpl
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec neutron-sriov-nic-agent \
+ --config-file /etc/neutron/neutron.conf \
+ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
+{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }}
+ --config-file /tmp/pod-shared/neutron-agent.ini \
+{{- end }}
+{{- if .Values.conf.plugins.taas.taas.enabled }}
+ --config-file /etc/neutron/plugins/ml2/taas.ini \
+{{- end }}
+ --config-file /etc/neutron/plugins/ml2/sriov_agent.ini
diff --git a/charts/neutron/templates/bin/_neutron-test-force-cleanup.sh.tpl b/charts/neutron/templates/bin/_neutron-test-force-cleanup.sh.tpl
new file mode 100644
index 0000000..90d85dd
--- /dev/null
+++ b/charts/neutron/templates/bin/_neutron-test-force-cleanup.sh.tpl
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+
+if openstack project show "${OS_TEST_PROJECT_NAME}" --domain="${OS_TEST_PROJECT_DOMAIN_NAME}" ; then
+ OS_TEST_PROJECT_ID=$(openstack project show "${OS_TEST_PROJECT_NAME}" -f value -c id --domain="${OS_TEST_PROJECT_DOMAIN_NAME}")
+ ospurge --purge-project "${OS_TEST_PROJECT_ID}"
+ openstack quota set "${OS_TEST_PROJECT_ID}" --networks "${NETWORK_QUOTA}" --ports "${PORT_QUOTA}" --routers "${ROUTER_QUOTA}" --subnets "${SUBNET_QUOTA}" --secgroups "${SEC_GROUP_QUOTA}"
+fi
diff --git a/charts/neutron/templates/bin/_nginx.sh.tpl b/charts/neutron/templates/bin/_nginx.sh.tpl
new file mode 100644
index 0000000..53418a5
--- /dev/null
+++ b/charts/neutron/templates/bin/_nginx.sh.tpl
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -xe
+
+COMMAND="${@:-start}"
+
+start () {
+ envsubst < /etc/nginx/nginx.conf > /tmp/nginx.conf
+ cat /tmp/nginx.conf
+ nginx -t -c /tmp/nginx.conf
+ exec nginx -c /tmp/nginx.conf
+}
+
+stop () {
+ nginx -s stop
+}
+
+$COMMAND
diff --git a/charts/neutron/templates/certificates.yaml b/charts/neutron/templates/certificates.yaml
new file mode 100644
index 0000000..f65396d
--- /dev/null
+++ b/charts/neutron/templates/certificates.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{ dict "envAll" . "service" "network" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/charts/neutron/templates/configmap-bin.yaml b/charts/neutron/templates/configmap-bin.yaml
new file mode 100644
index 0000000..2a6b9cf
--- /dev/null
+++ b/charts/neutron/templates/configmap-bin.yaml
@@ -0,0 +1,102 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: neutron-bin
+data:
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+ bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+ rally-test.sh: |
+{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+ db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+ db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+ ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+ ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+ ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+ health-probe.py: |
+{{ tuple "bin/_health-probe.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-dhcp-agent.sh: |
+{{ tuple "bin/_neutron-dhcp-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-dhcp-agent-init.sh: |
+{{ tuple "bin/_neutron-dhcp-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-l3-agent.sh: |
+{{ tuple "bin/_neutron-l3-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-l3-agent-init.sh: |
+{{ tuple "bin/_neutron-l3-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-linuxbridge-agent.sh: |
+{{ tuple "bin/_neutron-linuxbridge-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-linuxbridge-agent-init.sh: |
+{{ tuple "bin/_neutron-linuxbridge-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-linuxbridge-agent-init-modules.sh: |
+{{ tuple "bin/_neutron-linuxbridge-agent-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-metadata-agent.sh: |
+{{ tuple "bin/_neutron-metadata-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-metadata-agent-init.sh: |
+{{ tuple "bin/_neutron-metadata-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-openvswitch-agent.sh: |
+{{ tuple "bin/_neutron-openvswitch-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-openvswitch-agent-init.sh: |
+{{ tuple "bin/_neutron-openvswitch-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-openvswitch-agent-init-modules.sh: |
+{{ tuple "bin/_neutron-openvswitch-agent-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-openvswitch-agent-readiness.sh: |
+{{ tuple "bin/_neutron-openvswitch-agent-readiness.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-sriov-agent.sh: |
+{{ tuple "bin/_neutron-sriov-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-sriov-agent-init.sh: |
+{{ tuple "bin/_neutron-sriov-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-l2gw-agent.sh: |
+{{ tuple "bin/_neutron-l2gw-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-bagpipe-bgp.sh: |
+{{ tuple "bin/_neutron-bagpipe-bgp.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-bagpipe-bgp-init.sh: |
+{{ tuple "bin/_neutron-bagpipe-bgp-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- if .Values.manifests.certificates }}
+ nginx.sh: |
+{{ tuple "bin/_nginx.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+ neutron-server.sh: |
+{{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-ironic-agent.sh: |
+{{ tuple "bin/_neutron-ironic-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ neutron-netns-cleanup-cron.py: |
+{{ tuple "bin/_neutron-netns-cleanup-cron.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+ neutron-test-force-cleanup.sh: |
+{{ tuple "bin/_neutron-test-force-cleanup.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- if ( has "tungstenfabric" .Values.network.backend ) }}
+ tf-plugin.pth: |
+ /opt/plugin/site-packages
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/templates/configmap-etc.yaml b/charts/neutron/templates/configmap-etc.yaml
new file mode 100644
index 0000000..36af849
--- /dev/null
+++ b/charts/neutron/templates/configmap-etc.yaml
@@ -0,0 +1,299 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
+{{- define "neutron.configmap.etc" }}
+{{- $configMapName := index . 0 }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.keystone_authtoken "auth_uri" -}}
+{{- end }}
+
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.keystone_authtoken "auth_url" -}}
+{{- end }}
+
+{{- if empty .Values.conf.neutron.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.neutron.keystone_authtoken "project_name" .Values.endpoints.identity.auth.neutron.project_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.project_domain_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "project_domain_name" $envAll.Values.endpoints.identity.auth.neutron.project_domain_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.user_domain_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "user_domain_name" $envAll.Values.endpoints.identity.auth.neutron.user_domain_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.username -}}
+{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "username" $envAll.Values.endpoints.identity.auth.neutron.username -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.password -}}
+{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "password" $envAll.Values.endpoints.identity.auth.neutron.password -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.region_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "region_name" $envAll.Values.endpoints.identity.auth.neutron.region_name -}}
+{{- end -}}
+
+{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set $envAll.Values.conf.neutron.keystone_authtoken "memcached_servers" -}}
+{{- end }}
+{{- if empty .Values.conf.neutron.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.neutron.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty $envAll.Values.conf.neutron.database.connection -}}
+{{- $connection := tuple "oslo_db" "internal" "neutron" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.neutron.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.neutron.database "connection" $connection -}}
+{{- end -}}
+{{- end }}
+
+{{- if empty $envAll.Values.conf.neutron.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "neutron" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set $envAll.Values.conf.neutron.DEFAULT "transport_url" -}}
+{{- end }}
+
+{{- if empty $envAll.Values.conf.neutron.nova.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.nova "auth_url" -}}
+{{- end }}
+
+{{- if empty $envAll.Values.conf.neutron.nova.region_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.nova "region_name" $envAll.Values.endpoints.identity.auth.nova.region_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.nova.project_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.nova "project_name" $envAll.Values.endpoints.identity.auth.nova.project_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.nova.project_domain_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.nova "project_domain_name" $envAll.Values.endpoints.identity.auth.nova.project_domain_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.nova.user_domain_name -}}
+{{- $_ := set $envAll.Values.conf.neutron.nova "user_domain_name" $envAll.Values.endpoints.identity.auth.nova.user_domain_name -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.nova.username -}}
+{{- $_ := set $envAll.Values.conf.neutron.nova "username" $envAll.Values.endpoints.identity.auth.nova.username -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.neutron.nova.password -}}
+{{- $_ := set $envAll.Values.conf.neutron.nova "password" $envAll.Values.endpoints.identity.auth.nova.password -}}
+{{- end -}}
+
+{{- if empty $envAll.Values.conf.neutron.octavia.base_url -}}
+{{- $_ := tuple "load_balancer" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.octavia "base_url" -}}
+{{- end }}
+
+{{/*
+nova_metadata_ip can go away when Newton is no longer supported, otherwise
+just set it along with nova_metadata_host.
+*/}}
+{{- if empty $envAll.Values.conf.metadata_agent.DEFAULT.nova_metadata_ip -}}
+{{- $_ := tuple "compute_metadata" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | set $envAll.Values.conf.metadata_agent.DEFAULT "nova_metadata_ip" -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.metadata_agent.DEFAULT.nova_metadata_host -}}
+{{- $_ := tuple "compute_metadata" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | set $envAll.Values.conf.metadata_agent.DEFAULT "nova_metadata_host" -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.metadata_agent.DEFAULT.nova_metadata_port -}}
+{{- $_ := set $envAll.Values.conf.metadata_agent.DEFAULT "nova_metadata_port" 80 -}}
+{{- end -}}
+{{- if empty $envAll.Values.conf.metadata_agent.cache.memcache_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set $envAll.Values.conf.metadata_agent.cache "memcache_servers" -}}
+{{- end -}}
+
+{{- if empty $envAll.Values.conf.neutron.DEFAULT.interface_driver -}}
+{{- $_ := set $envAll.Values "__interface_driver" ( list ) }}
+{{- if ( has "openvswitch" $envAll.Values.network.backend ) -}}
+{{ $__interface_driver := append $envAll.Values.__interface_driver "openvswitch" }}
+{{- $_ := set $envAll.Values "__interface_driver" $__interface_driver }}
+{{- end -}}
+{{- if ( has "linuxbridge" $envAll.Values.network.backend ) -}}
+{{ $__interface_driver := append $envAll.Values.__interface_driver "linuxbridge" }}
+{{- $_ := set $envAll.Values "__interface_driver" $__interface_driver }}
+{{- end -}}
+{{- $_ := set $envAll.Values.conf.neutron.DEFAULT "interface_driver" $envAll.Values.__interface_driver -}}
+{{- end -}}
+
+{{- if empty $envAll.Values.conf.dhcp_agent.DEFAULT.interface_driver -}}
+{{- $_ := set $envAll.Values "__interface_driver" ( list ) }}
+{{- if ( has "openvswitch" $envAll.Values.network.backend ) -}}
+{{ $__interface_driver := append $envAll.Values.__interface_driver "openvswitch" }}
+{{- $_ := set $envAll.Values "__interface_driver" $__interface_driver }}
+{{- end -}}
+{{- if ( has "linuxbridge" $envAll.Values.network.backend ) -}}
+{{ $__interface_driver := append $envAll.Values.__interface_driver "linuxbridge" }}
+{{- $_ := set $envAll.Values "__interface_driver" $__interface_driver }}
+{{- end -}}
+{{- $_ := set $envAll.Values.conf.dhcp_agent.DEFAULT "interface_driver" $envAll.Values.__interface_driver -}}
+{{- end -}}
+
+{{- if empty $envAll.Values.conf.l3_agent.DEFAULT.interface_driver -}}
+{{- $_ := set $envAll.Values "__interface_driver" ( list ) }}
+{{- if ( has "openvswitch" $envAll.Values.network.backend ) -}}
+{{ $__interface_driver := append $envAll.Values.__interface_driver "openvswitch" }}
+{{- $_ := set $envAll.Values "__interface_driver" $__interface_driver }}
+{{- end -}}
+{{- if ( has "linuxbridge" $envAll.Values.network.backend ) -}}
+{{ $__interface_driver := append $envAll.Values.__interface_driver "linuxbridge" }}
+{{- $_ := set $envAll.Values "__interface_driver" $__interface_driver }}
+{{- end -}}
+{{- $_ := set $envAll.Values.conf.l3_agent.DEFAULT "interface_driver" $envAll.Values.__interface_driver -}}
+{{- end -}}
+
+{{- if empty $envAll.Values.conf.plugins.ml2_conf.ml2.mechanism_drivers -}}
+{{- if (contains "vxlan" $envAll.Values.conf.plugins.ml2_conf.ml2.tenant_network_types) -}}
+{{- $_ := set $envAll.Values "__mechanism_drivers" (append $envAll.Values.network.backend "l2population") -}}
+{{- end -}}
+{{- $_ := set $envAll.Values.conf.plugins.ml2_conf.ml2 "mechanism_drivers" ($envAll.Values.__mechanism_drivers | default $envAll.Values.network.backend | uniq) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.neutron.DEFAULT.bind_port -}}
+{{- $_ := tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.neutron.DEFAULT "bind_port" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+
+{{- if .Values.conf.ovs_dpdk.enabled -}}
+{{- $_ := set $envAll.Values.conf.plugins.openvswitch_agent.ovs "datapath_type" "netdev" -}}
+{{- if empty $envAll.Values.conf.plugins.openvswitch_agent.ovs.vhostuser_socket_dir -}}
+{{- $_ := set $envAll.Values.conf.plugins.openvswitch_agent.ovs "vhostuser_socket_dir" "/run/openvswitch/vhostuser" -}}
+{{- end -}}
+{{- end -}}
+
+{{/* Designate DNS driver */}}
+{{- if eq (.Values.conf.neutron.DEFAULT.external_dns_driver | default "") "designate" -}}
+{{- if empty .Values.conf.neutron.designate.project_name -}}
+{{- $_ := set .Values.conf.neutron.designate "project_name" .Values.endpoints.identity.auth.designate.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.designate.project_domain_name -}}
+{{- $_ := set .Values.conf.neutron.designate "project_domain_name" .Values.endpoints.identity.auth.designate.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.designate.user_domain_name -}}
+{{- $_ := set .Values.conf.neutron.designate "user_domain_name" .Values.endpoints.identity.auth.designate.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.designate.username -}}
+{{- $_ := set .Values.conf.neutron.designate "username" .Values.endpoints.identity.auth.designate.username -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.designate.password -}}
+{{- $_ := set .Values.conf.neutron.designate "password" .Values.endpoints.identity.auth.designate.password -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.designate.url -}}
+{{- $_ := tuple "dns" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.neutron.designate "url" -}}
+{{- end -}}
+{{- end }}
+
+{{- if (has "baremetal" .Values.network.backend) -}}
+{{- if empty .Values.conf.neutron.ironic.project_name -}}
+{{- $_ := set .Values.conf.neutron.ironic "project_name" .Values.endpoints.identity.auth.ironic.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.ironic.project_domain_name -}}
+{{- $_ := set .Values.conf.neutron.ironic "project_domain_name" .Values.endpoints.identity.auth.ironic.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.ironic.user_domain_name -}}
+{{- $_ := set .Values.conf.neutron.ironic "user_domain_name" .Values.endpoints.identity.auth.ironic.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.ironic.username -}}
+{{- $_ := set .Values.conf.neutron.ironic "username" .Values.endpoints.identity.auth.ironic.username -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.ironic.password -}}
+{{- $_ := set .Values.conf.neutron.ironic "password" .Values.endpoints.identity.auth.ironic.password -}}
+{{- end -}}
+{{- end -}}
+
+{{- if ( has "tungstenfabric" .Values.network.backend ) -}}
+{{- if empty .Values.conf.plugins.tungstenfabric.KEYSTONE.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.plugins.tungstenfabric.KEYSTONE "auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.plugins.tungstenfabric.KEYSTONE.admin_user -}}
+{{- $_ := set .Values.conf.plugins.tungstenfabric.KEYSTONE "admin_user" .Values.endpoints.identity.auth.admin.username -}}
+{{- end -}}
+{{- if empty .Values.conf.plugins.tungstenfabric.KEYSTONE.admin_password -}}
+{{- $_ := set .Values.conf.plugins.tungstenfabric.KEYSTONE "admin_password" .Values.endpoints.identity.auth.admin.password -}}
+{{- end -}}
+{{- if empty .Values.conf.plugins.tungstenfabric.KEYSTONE.admin_tenant_name -}}
+{{- $_ := set .Values.conf.plugins.tungstenfabric.KEYSTONE "admin_tenant_name" .Values.endpoints.identity.auth.admin.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.plugins.tf_vnc_api_lib.auth.AUTHN_SERVER -}}
+{{- $_ := tuple "identity" . | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" | set .Values.conf.plugins.tf_vnc_api_lib.auth "AUTHN_SERVER" -}}
+{{- end -}}
+{{- if empty .Values.conf.plugins.tf_vnc_api_lib.auth.AUTHN_PORT -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.plugins.tf_vnc_api_lib.auth "AUTHN_PORT" -}}
+{{- end -}}
+{{- if empty .Values.conf.plugins.tf_vnc_api_lib.auth.AUTHN_DOMAIN -}}
+{{- $_ := set .Values.conf.plugins.tf_vnc_api_lib.auth "AUTHN_DOMAIN" .Values.endpoints.identity.auth.neutron.project_domain_name -}}
+{{- end -}}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $configMapName }}
+type: Opaque
+data:
+ rally_tests.yaml: {{ toYaml $envAll.Values.conf.rally_tests.tests | b64enc }}
+ api-paste.ini: {{ include "helm-toolkit.utils.to_ini" $envAll.Values.conf.paste | b64enc }}
+ policy.yaml: {{ toYaml $envAll.Values.conf.policy | b64enc }}
+ neutron.conf: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.neutron | b64enc }}
+ logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+ api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
+ dhcp_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.dhcp_agent | b64enc }}
+ l3_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.l3_agent | b64enc }}
+ metadata_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.metadata_agent | b64enc }}
+ metering_agent.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.metering_agent | b64enc) }}
+ taas_plugin.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.taas_plugin | b64enc) }}
+ ml2_conf.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.ml2_conf | b64enc }}
+ ml2_conf_sriov.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.ml2_conf_sriov | b64enc) }}
+ taas.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.taas | b64enc }}
+ l2gw_plugin.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" .Values.conf.plugins.l2gateway | b64enc) }}
+ macvtap_agent.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.macvtap_agent | b64enc) }}
+ linuxbridge_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.linuxbridge_agent | b64enc }}
+ openvswitch_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.openvswitch_agent | b64enc }}
+ sriov_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.sriov_agent | b64enc }}
+ l2gw_agent.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" .Values.conf.l2gateway_agent | b64enc) }}
+ bagpipe_bgp.conf: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" .Values.conf.bagpipe_bgp | b64enc) }}
+ tf_plugin.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.tungstenfabric | b64enc) }}
+ vnc_api_lib.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.tf_vnc_api_lib | b64enc) }}
+ dnsmasq.conf: "{{ $envAll.Values.conf.dnsmasq | b64enc }}"
+ neutron_sudoers: {{ $envAll.Values.conf.neutron_sudoers | b64enc }}
+ rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
+ auto_bridge_add: {{ toJson $envAll.Values.conf.auto_bridge_add | b64enc }}
+ dpdk.conf: {{ toJson $envAll.Values.conf.ovs_dpdk | b64enc }}
+ update_dpdk_bond_config: {{ $envAll.Values.conf.ovs_dpdk.update_dpdk_bond_config | toString | b64enc }}
+{{- if .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.nginx "key" "nginx.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
+{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+{{- $filePrefix := replace "_" "-" $key }}
+ {{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- list "neutron-etc" . | include "neutron.configmap.etc" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-bagpipe-bgp.yaml b/charts/neutron/templates/daemonset-bagpipe-bgp.yaml
new file mode 100644
index 0000000..9e6393e
--- /dev/null
+++ b/charts/neutron/templates/daemonset-bagpipe-bgp.yaml
@@ -0,0 +1,181 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "bagpipeBgpLivenessProbeTemplate" }}
+tcpSocket:
+ port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- define "bagpipeBgpReadinessProbeTemplate" }}
+tcpSocket:
+ port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- define "neutron.bagpipe_bgp.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_bagpipe_bgp := .Values.pod.mounts.bagpipe_bgp.bagpipe_bgp }}
+{{- $mounts_neutron_bagpipe_bgp_init := .Values.pod.mounts.bagpipe_bgp.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: bagpipe-bgp
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "neutron" "bagpipe-bgp" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll "neutron" "bagpipe-bgp" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "bagpipe_bgp" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "neutron" "bagpipe-bgp" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+{{ dict "envAll" $envAll "application" "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.bagpipe_bgp.node_selector_key }}: {{ .Values.labels.bagpipe_bgp.node_selector_value }}
+ dnsPolicy: ClusterFirstWithHostNet
+ hostNetwork: true
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ shareProcessNamespace: true
+ {{- else }}
+ hostPID: true
+ {{- end }}
+ initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_bagpipe_bgp_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: neutron-bagpipe-bgp-init
+{{ tuple $envAll "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.image" | indent 10 }}
+ securityContext:
+ privileged: true
+ runAsUser: 0
+ command:
+ - /tmp/neutron-bagpipe-bgp-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: neutron-bin
+ mountPath: /tmp/neutron-bagpipe-bgp-init.sh
+ subPath: neutron-bagpipe-bgp-init.sh
+ readOnly: true
+ - name: run
+ mountPath: /run
+ containers:
+ - name: neutron-bagpipe-bgp
+{{ tuple $envAll "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.bagpipe_bgp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_bagpipe_bgp" "container" "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "bagpipe_bgp" "container" "bagpipe_bgp" "type" "liveness" "probeTemplate" (include "bagpipeBgpLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "bagpipe_bgp" "container" "bagpipe_bgp" "type" "readiness" "probeTemplate" (include "bagpipeBgpReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ command:
+ - /tmp/neutron-bagpipe-bgp.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-var-neutron
+ mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+ - name: neutron-bin
+ mountPath: /tmp/neutron-bagpipe-bgp.sh
+ subPath: neutron-bagpipe-bgp.sh
+ readOnly: true
+ - name: neutron-bin
+ mountPath: /tmp/health-probe.py
+ subPath: health-probe.py
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /tmp/auto_bridge_add
+ subPath: auto_bridge_add
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/bagpipe-bgp/bgp.conf
+ subPath: bagpipe_bgp.conf
+ readOnly: true
+ - name: neutron-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+ subPath: neutron_sudoers
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "bagpipe_bgp" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+ - name: neutron-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ - name: libmodules
+ mountPath: /lib/modules
+ readOnly: true
+ - name: run
+ mountPath: /run
+{{ if $mounts_neutron_bagpipe_bgp.volumeMounts }}{{ toYaml $mounts_neutron_bagpipe_bgp.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-var-neutron
+ emptyDir: {}
+ - name: neutron-bin
+ configMap:
+ name: neutron-bin
+ defaultMode: 0555
+ - name: neutron-etc
+ secret:
+ secretName: {{ $configMapName }}
+ defaultMode: 0444
+ - name: libmodules
+ hostPath:
+ path: /lib/modules
+ - name: run
+ hostPath:
+ path: /run
+{{ if $mounts_neutron_bagpipe_bgp.volumes }}{{ toYaml $mounts_neutron_bagpipe_bgp.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_bagpipe_bgp }}
+{{- $envAll := . }}
+{{- $daemonset := "bagpipe-bgp" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-bagpipe-bgp" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "bagpipe_bgp" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.bagpipe_bgp.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-dhcp-agent.yaml b/charts/neutron/templates/daemonset-dhcp-agent.yaml
new file mode 100644
index 0000000..f2a5a85
--- /dev/null
+++ b/charts/neutron/templates/daemonset-dhcp-agent.yaml
@@ -0,0 +1,292 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "dhcpAgentReadinessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/neutron/neutron.conf
+ - --config-file
+ - /etc/neutron/dhcp_agent.ini
+ - --agent-queue-name
+ - dhcp_agent
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+ - --use-fqdn
+{{- end }}
+{{- end }}
+{{- define "dhcpAgentLivenessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/neutron/neutron.conf
+ - --config-file
+ - /etc/neutron/dhcp_agent.ini
+ - --agent-queue-name
+ - dhcp_agent
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+ - --use-fqdn
+{{- end }}
+{{- end }}
+
+{{- define "neutron.dhcp_agent.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_dhcp_agent := .Values.pod.mounts.neutron_dhcp_agent.neutron_dhcp_agent }}
+{{- $mounts_neutron_dhcp_agent_init := .Values.pod.mounts.neutron_dhcp_agent.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: neutron-dhcp-agent
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "neutron" "dhcp-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll "neutron" "dhcp-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "dhcp_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "neutron" "dhcp-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "neutron-dhcp-agent-default" "containerNames" (list "neutron-dhcp-agent" "neutron-dhcp-agent-init" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "neutron_dhcp_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.agent.dhcp.node_selector_key }}: {{ .Values.labels.agent.dhcp.node_selector_value }}
+ dnsPolicy: ClusterFirstWithHostNet
+ hostNetwork: true
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ shareProcessNamespace: true
+ {{- else }}
+ hostPID: true
+ {{- end }}
+ initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_dhcp_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: neutron-dhcp-agent-init
+{{ tuple $envAll "neutron_dhcp" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.dhcp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_dhcp_agent" "container" "neutron_dhcp_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/neutron-dhcp-agent-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: neutron-bin
+ mountPath: /tmp/neutron-dhcp-agent-init.sh
+ subPath: neutron-dhcp-agent-init.sh
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/dhcp_agent.ini
+ subPath: dhcp_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/metadata_agent.ini
+ subPath: metadata_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+ subPath: ml2_conf.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+ subPath: openvswitch_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+ subPath: neutron_sudoers
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /tmp/auto_bridge_add
+ subPath: auto_bridge_add
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "dhcp_agent" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+ - name: neutron-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ containers:
+ - name: neutron-dhcp-agent
+{{ tuple $envAll "neutron_dhcp" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.dhcp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_dhcp_agent" "container" "neutron_dhcp_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: RPC_PROBE_TIMEOUT
+ value: "{{ .Values.pod.probes.rpc_timeout }}"
+ - name: RPC_PROBE_RETRIES
+ value: "{{ .Values.pod.probes.rpc_retries }}"
+{{ dict "envAll" $envAll "component" "dhcp_agent" "container" "dhcp_agent" "type" "readiness" "probeTemplate" (include "dhcpAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "dhcp_agent" "container" "dhcp_agent" "type" "liveness" "probeTemplate" (include "dhcpAgentLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ command:
+ - /tmp/neutron-dhcp-agent.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: pod-var-neutron
+ mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+ - name: neutron-bin
+ mountPath: /tmp/neutron-dhcp-agent.sh
+ subPath: neutron-dhcp-agent.sh
+ readOnly: true
+ - name: neutron-bin
+ mountPath: /tmp/health-probe.py
+ subPath: health-probe.py
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+ - name: neutron-etc
+ mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+ subPath: ml2_conf.ini
+ readOnly: true
+ {{- if ( has "openvswitch" .Values.network.backend ) }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+ subPath: openvswitch_agent.ini
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/dhcp_agent.ini
+ subPath: dhcp_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/dnsmasq.conf
+ subPath: dnsmasq.conf
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/metadata_agent.ini
+ subPath: metadata_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+ subPath: neutron_sudoers
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "dhcp_agent" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+ - name: neutron-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ - name: iptables-lockfile
+ mountPath: /run/xtables.lock
+ - name: socket
+ mountPath: /var/lib/neutron/openstack-helm
+ {{- if .Values.network.share_namespaces }}
+ - name: host-run-netns
+ mountPath: /run/netns
+ mountPropagation: Bidirectional
+ {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_dhcp_agent.volumeMounts }}{{ toYaml $mounts_neutron_dhcp_agent.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-var-neutron
+ emptyDir: {}
+ - name: neutron-bin
+ configMap:
+ name: neutron-bin
+ defaultMode: 0555
+ - name: neutron-etc
+ secret:
+ secretName: {{ $configMapName }}
+ defaultMode: 0444
+ - name: iptables-lockfile
+ hostPath:
+ path: /run/xtables.lock
+ type: FileOrCreate
+ - name: socket
+ hostPath:
+ path: /var/lib/neutron/openstack-helm
+ - name: pod-shared
+ emptyDir: {}
+ {{- if .Values.network.share_namespaces }}
+ - name: host-run-netns
+ hostPath:
+ path: /run/netns
+ {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_dhcp_agent.volumes }}{{ toYaml $mounts_neutron_dhcp_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_dhcp_agent }}
+{{- $envAll := . }}
+{{- $daemonset := "dhcp-agent" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-dhcp-agent" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "dhcp" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.dhcp_agent.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-l2gw-agent.yaml b/charts/neutron/templates/daemonset-l2gw-agent.yaml
new file mode 100644
index 0000000..2bb2fdc
--- /dev/null
+++ b/charts/neutron/templates/daemonset-l2gw-agent.yaml
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "l2gwAgentLivenessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/neutron/neutron.conf
+ - --config-file
+ - /etc/neutron/l2gw_agent.ini
+ - --agent-queue-name
+ - l2gateway_agent
+ - --liveness-probe
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+ - --use-fqdn
+{{- end }}
+{{- end }}
+
+{{- define "l2gwAgentReadinessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/neutron/neutron.conf
+ - --config-file
+ - /etc/neutron/l2gw_agent.ini
+ - --agent-queue-name
+ - l2gateway_agent
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+ - --use-fqdn
+{{- end }}
+{{- end }}
+
+{{- define "neutron.l2gw_agent.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_l2gw_agent := .Values.pod.mounts.neutron_l2gw_agent.neutron_l2gw_agent }}
+{{- $mounts_neutron_l2gw_agent_init := .Values.pod.mounts.neutron_l2gw_agent.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: neutron-l2gw-agent
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "neutron" "l2gw-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll "neutron" "l2gw-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "l2gw_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "neutron" "l2gw-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+{{ dict "envAll" $envAll "application" "neutron_l2gw_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.agent.l2gw.node_selector_key }}: {{ .Values.labels.agent.l2gw.node_selector_value }}
+ dnsPolicy: ClusterFirstWithHostNet
+ hostNetwork: true
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ shareProcessNamespace: true
+ {{- else }}
+ hostPID: true
+ {{- end }}
+ initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_l2gw_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: neutron-l2gw-agent
+{{ tuple $envAll "neutron_l2gw" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.l2gw | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_l2gw_agent" "container" "neutron_l2gw_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: RPC_PROBE_TIMEOUT
+ value: "{{ .Values.pod.probes.rpc_timeout }}"
+ - name: RPC_PROBE_RETRIES
+ value: "{{ .Values.pod.probes.rpc_retries }}"
+{{ dict "envAll" $envAll "component" "l2gw_agent" "container" "l2gw_agent" "type" "liveness" "probeTemplate" (include "l2gwAgentLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "l2gw_agent" "container" "l2gw_agent" "type" "readiness" "probeTemplate" (include "l2gwAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ command:
+ - /tmp/neutron-l2gw-agent.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-var-neutron
+ mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+ - name: neutron-bin
+ mountPath: /tmp/neutron-l2gw-agent.sh
+ subPath: neutron-l2gw-agent.sh
+ readOnly: true
+ - name: neutron-bin
+ mountPath: /tmp/health-probe.py
+ subPath: health-probe.py
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+ - name: neutron-etc
+ mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/l2gw_agent.ini
+ subPath: l2gw_agent.ini
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_l2gw_agent.volumeMounts }}{{ toYaml $mounts_neutron_l2gw_agent.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-var-neutron
+ emptyDir: {}
+ - name: neutron-bin
+ configMap:
+ name: neutron-bin
+ defaultMode: 0555
+ - name: neutron-etc
+ secret:
+ secretName: {{ $configMapName }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_l2gw_agent.volumes }}{{ toYaml $mounts_neutron_l2gw_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_l2gw_agent }}
+{{- $envAll := . }}
+{{- $daemonset := "l2gw-agent" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-l2gw-agent" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "l2gateway" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.l2gw_agent.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-l3-agent.yaml b/charts/neutron/templates/daemonset-l3-agent.yaml
new file mode 100644
index 0000000..65cfe09
--- /dev/null
+++ b/charts/neutron/templates/daemonset-l3-agent.yaml
@@ -0,0 +1,295 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "l3AgentReadinessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/neutron/neutron.conf
+ - --config-file
+ - /etc/neutron/l3_agent.ini
+ - --agent-queue-name
+ - l3_agent
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+ - --use-fqdn
+{{- end }}
+{{- end }}
+{{- define "l3AgentLivenessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/neutron/neutron.conf
+ - --config-file
+ - /etc/neutron/l3_agent.ini
+ - --agent-queue-name
+ - l3_agent
+ - --liveness-probe
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+ - --use-fqdn
+{{- end }}
+{{- end }}
+
+{{- define "neutron.l3_agent.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_l3_agent := .Values.pod.mounts.neutron_l3_agent.neutron_l3_agent }}
+{{- $mounts_neutron_l3_agent_init := .Values.pod.mounts.neutron_l3_agent.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: neutron-l3-agent
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "neutron" "l3-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll "neutron" "l3-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "l3_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "neutron" "l3-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "neutron-l3-agent-default" "containerNames" (list "neutron-l3-agent" "init" "neutron-l3-agent-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "neutron_l3_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.agent.l3.node_selector_key }}: {{ .Values.labels.agent.l3.node_selector_value }}
+ dnsPolicy: ClusterFirstWithHostNet
+ hostNetwork: true
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ shareProcessNamespace: true
+ {{- else }}
+ hostPID: true
+ {{- end }}
+ initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_l3_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: neutron-l3-agent-init
+{{ tuple $envAll "neutron_l3" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.l3 | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_l3_agent" "container" "neutron_l3_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/neutron-l3-agent-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: neutron-bin
+ mountPath: /tmp/neutron-l3-agent-init.sh
+ subPath: neutron-l3-agent-init.sh
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: neutron-etc
+ mountPath: /etc/neutron/l3_agent.ini
+ subPath: l3_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/metadata_agent.ini
+ subPath: metadata_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+ subPath: ml2_conf.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+ subPath: openvswitch_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+ subPath: neutron_sudoers
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /tmp/auto_bridge_add
+ subPath: auto_bridge_add
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "l3_agent" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+ - name: neutron-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ containers:
+ - name: neutron-l3-agent
+{{ tuple $envAll "neutron_l3" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.l3 | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_l3_agent" "container" "neutron_l3_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: RPC_PROBE_TIMEOUT
+ value: "{{ .Values.pod.probes.rpc_timeout }}"
+ - name: RPC_PROBE_RETRIES
+ value: "{{ .Values.pod.probes.rpc_retries }}"
+{{ dict "envAll" $envAll "component" "l3_agent" "container" "l3_agent" "type" "readiness" "probeTemplate" (include "l3AgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "l3_agent" "container" "l3_agent" "type" "liveness" "probeTemplate" (include "l3AgentLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ command:
+ - /tmp/neutron-l3-agent.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: pod-var-neutron
+ mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+ - name: neutron-bin
+ mountPath: /tmp/neutron-l3-agent.sh
+ subPath: neutron-l3-agent.sh
+ readOnly: true
+ - name: neutron-bin
+ mountPath: /tmp/health-probe.py
+ subPath: health-probe.py
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+ - name: neutron-etc
+ mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+ subPath: ml2_conf.ini
+ readOnly: true
+ {{- if ( has "openvswitch" .Values.network.backend ) }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+ subPath: openvswitch_agent.ini
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/l3_agent.ini
+ subPath: l3_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/metadata_agent.ini
+ subPath: metadata_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+ subPath: neutron_sudoers
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "l3_agent" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+ - name: neutron-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ - name: libmodules
+ mountPath: /lib/modules
+ readOnly: true
+ - name: iptables-lockfile
+ mountPath: /run/xtables.lock
+ - name: socket
+ mountPath: /var/lib/neutron/openstack-helm
+ {{- if .Values.network.share_namespaces }}
+ - name: host-run-netns
+ mountPath: /run/netns
+ mountPropagation: Bidirectional
+ {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_l3_agent.volumeMounts }}{{ toYaml $mounts_neutron_l3_agent.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-var-neutron
+ emptyDir: {}
+ - name: neutron-bin
+ configMap:
+ name: neutron-bin
+ defaultMode: 0555
+ - name: neutron-etc
+ secret:
+ secretName: {{ $configMapName }}
+ defaultMode: 0444
+ - name: libmodules
+ hostPath:
+ path: /lib/modules
+ - name: iptables-lockfile
+ hostPath:
+ path: /run/xtables.lock
+ type: FileOrCreate
+ - name: pod-shared
+ emptyDir: {}
+ - name: socket
+ hostPath:
+ path: /var/lib/neutron/openstack-helm
+ {{- if .Values.network.share_namespaces }}
+ - name: host-run-netns
+ hostPath:
+ path: /run/netns
+ {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_l3_agent.volumes }}{{ toYaml $mounts_neutron_l3_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_l3_agent }}
+{{- $envAll := . }}
+{{- $daemonset := "l3-agent" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-l3-agent" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "l3" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.l3_agent.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-lb-agent.yaml b/charts/neutron/templates/daemonset-lb-agent.yaml
new file mode 100644
index 0000000..7cb8637
--- /dev/null
+++ b/charts/neutron/templates/daemonset-lb-agent.yaml
@@ -0,0 +1,240 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "lbAgentReadinessProbeTemplate" }}
+exec:
+ command:
+ - bash
+ - -c
+ - 'brctl show'
+{{- end }}
+
+{{- define "neutron.lb_agent.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_lb_agent := .Values.pod.mounts.neutron_lb_agent.neutron_lb_agent }}
+{{- $mounts_neutron_lb_agent_init := .Values.pod.mounts.neutron_lb_agent.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: neutron-lb-agent
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "neutron" "neutron-lb-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll "neutron" "neutron-lb-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "lb_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "neutron" "neutron-lb-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+{{ dict "envAll" $envAll "application" "neutron_lb_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.lb.node_selector_key }}: {{ .Values.labels.lb.node_selector_value }}
+ dnsPolicy: ClusterFirstWithHostNet
+ hostNetwork: true
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ shareProcessNamespace: true
+ {{- else }}
+ hostPID: true
+ {{- end }}
+ initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_lb_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: neutron-lb-agent-kernel-modules
+{{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_lb_agent" "container" "neutron_lb_agent_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/neutron-linuxbridge-agent-init-modules.sh
+ volumeMounts:
+ - name: neutron-bin
+ mountPath: /tmp/neutron-linuxbridge-agent-init-modules.sh
+ subPath: neutron-linuxbridge-agent-init-modules.sh
+ readOnly: true
+ - name: host-rootfs
+ mountPath: /mnt/host-rootfs
+ mountPropagation: HostToContainer
+ readOnly: true
+ - name: neutron-lb-agent-init
+{{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.lb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_lb_agent" "container" "neutron_lb_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/neutron-linuxbridge-agent-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: neutron-bin
+ mountPath: /tmp/neutron-linuxbridge-agent-init.sh
+ subPath: neutron-linuxbridge-agent-init.sh
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+ subPath: ml2_conf.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/linuxbridge_agent.ini
+ subPath: linuxbridge_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+ subPath: neutron_sudoers
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /tmp/auto_bridge_add
+ subPath: auto_bridge_add
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "lb_agent" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+ - name: neutron-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ - name: run
+ mountPath: /run
+{{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }}
+ containers:
+ - name: neutron-lb-agent
+{{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.lb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_lb_agent" "container" "neutron_lb_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "lb_agent" "container" "lb_agent" "type" "readiness" "probeTemplate" (include "lbAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ command:
+ - /tmp/neutron-linuxbridge-agent.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-var-neutron
+ mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+ - name: neutron-bin
+ mountPath: /tmp/neutron-linuxbridge-agent.sh
+ subPath: neutron-linuxbridge-agent.sh
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+ - name: neutron-etc
+ mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+ subPath: ml2_conf.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/linuxbridge_agent.ini
+ subPath: linuxbridge_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+ subPath: neutron_sudoers
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "lb_agent" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+ - name: neutron-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ - name: run
+ mountPath: /run
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-var-neutron
+ emptyDir: {}
+ - name: pod-shared
+ emptyDir: {}
+ - name: neutron-bin
+ configMap:
+ name: neutron-bin
+ defaultMode: 0555
+ - name: neutron-etc
+ secret:
+ secretName: {{ $configMapName }}
+ defaultMode: 0444
+ - name: run
+ hostPath:
+ path: /run
+ - name: host-rootfs
+ hostPath:
+ path: /
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_lb_agent.volumes }}{{ toYaml $mounts_neutron_lb_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if and .Values.manifests.daemonset_lb_agent ( has "linuxbridge" .Values.network.backend ) }}
+{{- $envAll := . }}
+{{- $daemonset := "lb-agent" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-lb-agent" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "lb_agent" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.lb_agent.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-metadata-agent.yaml b/charts/neutron/templates/daemonset-metadata-agent.yaml
new file mode 100644
index 0000000..edfa0a1
--- /dev/null
+++ b/charts/neutron/templates/daemonset-metadata-agent.yaml
@@ -0,0 +1,236 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadataAgentReadinessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/neutron/neutron.conf
+ - --config-file
+ - /etc/neutron/metadata_agent.ini
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+ - --use-fqdn
+{{- end }}
+{{- end }}
+{{- define "metadataAgentLivenessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/neutron/neutron.conf
+ - --config-file
+ - /etc/neutron/metadata_agent.ini
+ - --liveness-probe
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+ - --use-fqdn
+{{- end }}
+{{- end }}
+
+{{- define "neutron.metadata_agent.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_metadata_agent := .Values.pod.mounts.neutron_metadata_agent.neutron_metadata_agent }}
+{{- $mounts_neutron_metadata_agent_init := .Values.pod.mounts.neutron_metadata_agent.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: neutron-metadata-agent
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "neutron" "metadata-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll "neutron" "metadata-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "metadata_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "neutron" "metadata-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "neutron-metadata-agent-default" "containerNames" (list "neutron-metadata-agent" "neutron-metadata-agent-init" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "neutron_metadata_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.agent.metadata.node_selector_key }}: {{ .Values.labels.agent.metadata.node_selector_value }}
+ dnsPolicy: ClusterFirstWithHostNet
+ hostNetwork: true
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ shareProcessNamespace: true
+ {{- else }}
+ hostPID: true
+ {{- end }}
+ initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_metadata_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: neutron-metadata-agent-init
+{{ tuple $envAll "neutron_metadata" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_metadata_agent" "container" "neutron_metadata_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: NEUTRON_USER_UID
+ value: "{{ .Values.pod.security_context.neutron_metadata_agent.pod.runAsUser }}"
+ command:
+ - /tmp/neutron-metadata-agent-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: neutron-bin
+ mountPath: /tmp/neutron-metadata-agent-init.sh
+ subPath: neutron-metadata-agent-init.sh
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ - name: socket
+ mountPath: /var/lib/neutron/openstack-helm
+ containers:
+ - name: neutron-metadata-agent
+{{ tuple $envAll "neutron_metadata" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: RPC_PROBE_TIMEOUT
+ value: "{{ .Values.pod.probes.rpc_timeout }}"
+ - name: RPC_PROBE_RETRIES
+ value: "{{ .Values.pod.probes.rpc_retries }}"
+{{ dict "envAll" $envAll "component" "metadata_agent" "container" "metadata_agent" "type" "readiness" "probeTemplate" (include "metadataAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "metadata_agent" "container" "metadata_agent" "type" "liveness" "probeTemplate" (include "metadataAgentLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ securityContext:
+ privileged: true
+ command:
+ - /tmp/neutron-metadata-agent.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-var-neutron
+ mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+ - name: neutron-bin
+ mountPath: /tmp/neutron-metadata-agent.sh
+ subPath: neutron-metadata-agent.sh
+ readOnly: true
+ - name: neutron-bin
+ mountPath: /tmp/health-probe.py
+ subPath: health-probe.py
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+ - name: neutron-etc
+ mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+ subPath: ml2_conf.ini
+ readOnly: true
+ {{- if ( has "openvswitch" .Values.network.backend ) }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+ subPath: openvswitch_agent.ini
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/metadata_agent.ini
+ subPath: metadata_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+ subPath: neutron_sudoers
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "metadata_agent" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+ - name: neutron-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ - name: socket
+ mountPath: /var/lib/neutron/openstack-helm
+ {{- if .Values.network.share_namespaces }}
+ - name: host-run-netns
+ mountPath: /run/netns
+ mountPropagation: Bidirectional
+ {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-var-neutron
+ emptyDir: {}
+ - name: neutron-bin
+ configMap:
+ name: neutron-bin
+ defaultMode: 0555
+ - name: neutron-etc
+ secret:
+ secretName: {{ $configMapName }}
+ defaultMode: 0444
+ - name: socket
+ hostPath:
+ path: /var/lib/neutron/openstack-helm
+ {{- if .Values.network.share_namespaces }}
+ - name: host-run-netns
+ hostPath:
+ path: /run/netns
+ {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_metadata_agent }}
+{{- $envAll := . }}
+{{- $daemonset := "metadata-agent" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-metadata-agent" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "metadata" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.metadata_agent.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-netns-cleanup-cron.yaml b/charts/neutron/templates/daemonset-netns-cleanup-cron.yaml
new file mode 100644
index 0000000..c512d17
--- /dev/null
+++ b/charts/neutron/templates/daemonset-netns-cleanup-cron.yaml
@@ -0,0 +1,186 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "neutron.netns_cleanup_cron.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_netns_cleanup_cron := .Values.pod.mounts.neutron_netns_cleanup_cron.neutron_netns_cleanup_cron }}
+{{- $mounts_neutron_netns_cleanup_cron_init := .Values.pod.mounts.neutron_netns_cleanup_cron.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: neutron-netns-cleanup-cron
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "neutron" "netns-cleanup-cron" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "neutron-netns-cleanup-cron-default" "containerNames" (list "neutron-netns-cleanup-cron" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ nodeSelector:
+ {{ .Values.labels.netns_cleanup_cron.node_selector_key }}: {{ .Values.labels.netns_cleanup_cron.node_selector_value }}
+ dnsPolicy: ClusterFirstWithHostNet
+ hostNetwork: true
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ shareProcessNamespace: true
+ {{- else }}
+ hostPID: true
+ {{- end }}
+ initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_netns_cleanup_cron_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: neutron-netns-cleanup-cron
+{{ tuple $envAll "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.netns_cleanup_cron | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_netns_cleanup_cron" "container" "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - python
+ - /tmp/neutron-netns-cleanup-cron.py
+ - --config-file
+ - /etc/neutron/neutron.conf
+ - --config-file
+ - /etc/neutron/dhcp_agent.ini
+ - --config-file
+ - /etc/neutron/l3_agent.ini
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" false }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: neutron-bin
+ mountPath: /tmp/neutron-netns-cleanup-cron.py
+ subPath: neutron-netns-cleanup-cron.py
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+ - name: neutron-etc
+ mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/dhcp_agent.ini
+ subPath: dhcp_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/l3_agent.ini
+ subPath: l3_agent.ini
+ readOnly: true
+ - name: neutron-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+ subPath: neutron_sudoers
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "netns_cleanup_cron" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+ - name: neutron-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ - name: libmodules
+ mountPath: /lib/modules
+ readOnly: true
+ - name: iptables-lockfile
+ mountPath: /run/xtables.lock
+ - name: socket
+ mountPath: /var/lib/neutron/openstack-helm
+ {{- if .Values.network.share_namespaces }}
+ - name: host-run-netns
+ mountPath: /run/netns
+ mountPropagation: Bidirectional
+ {{- end }}
+{{ if $mounts_neutron_netns_cleanup_cron.volumeMounts }}{{ toYaml $mounts_neutron_netns_cleanup_cron.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-var-neutron
+ emptyDir: {}
+ - name: neutron-bin
+ configMap:
+ name: neutron-bin
+ defaultMode: 0555
+ - name: neutron-etc
+ secret:
+ secretName: {{ $configMapName }}
+ defaultMode: 0444
+ - name: libmodules
+ hostPath:
+ path: /lib/modules
+ - name: iptables-lockfile
+ hostPath:
+ path: /run/xtables.lock
+ type: FileOrCreate
+ - name: socket
+ hostPath:
+ path: /var/lib/neutron/openstack-helm
+ {{- if .Values.network.share_namespaces }}
+ - name: host-run-netns
+ hostPath:
+ path: /run/netns
+ {{- end }}
+#{{ if $mounts_neutron_netns_cleanup_cron.volumes }}{{ toYaml $mounts_neutron_netns_cleanup_cron.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_netns_cleanup_cron}}
+{{- $envAll := . }}
+{{- $daemonset := "netns-cleanup-cron" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-netns-cleanup-cron" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "netns_cleanup_cron" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.netns_cleanup_cron.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
+
diff --git a/charts/neutron/templates/daemonset-ovs-agent.yaml b/charts/neutron/templates/daemonset-ovs-agent.yaml
new file mode 100644
index 0000000..59e33f0
--- /dev/null
+++ b/charts/neutron/templates/daemonset-ovs-agent.yaml
@@ -0,0 +1,315 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "ovsAgentReadinessProbeTemplate" }}
+exec:
+ command:
+ - /tmp/neutron-openvswitch-agent-readiness.sh
+{{- end }}
+{{- define "ovsAgentLivenessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/neutron/neutron.conf
+ - --config-file
+ - /etc/neutron/plugins/ml2/openvswitch_agent.ini
+ - --agent-queue-name
+ - q-agent-notifier-tunnel-update
+ - --liveness-probe
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+ - --use-fqdn
+{{- end }}
+{{- end }}
+
+{{- define "neutron.ovs_agent.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_ovs_agent := .Values.pod.mounts.neutron_ovs_agent.neutron_ovs_agent }}
+{{- $mounts_neutron_ovs_agent_init := .Values.pod.mounts.neutron_ovs_agent.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: neutron-ovs-agent
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "neutron" "neutron-ovs-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll "neutron" "neutron-ovs-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "ovs_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "neutron" "neutron-ovs-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "$configMapName" "containerNames" (list "neutron-ovs-agent" "init" "neutron-openvswitch-agent-kernel-modules" "neutron-ovs-agent-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "neutron_ovs_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ nodeSelector:
+ {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ dnsPolicy: ClusterFirstWithHostNet
+ hostNetwork: true
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ shareProcessNamespace: true
+ {{- else }}
+ hostPID: true
+ {{- end }}
+ initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_ovs_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: neutron-openvswitch-agent-kernel-modules
+{{ tuple $envAll "neutron_openvswitch_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_ovs_agent" "container" "neutron_openvswitch_agent_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/neutron-openvswitch-agent-init-modules.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: neutron-bin
+ mountPath: /tmp/neutron-openvswitch-agent-init-modules.sh
+ subPath: neutron-openvswitch-agent-init-modules.sh
+ readOnly: true
+ - name: host-rootfs
+ mountPath: /mnt/host-rootfs
+ mountPropagation: HostToContainer
+ readOnly: true
+{{- if .Values.conf.ovs_dpdk.enabled }}
+ - name: pci-devices
+ mountPath: /sys/bus/pci/devices
+{{- end }}
+ - name: neutron-ovs-agent-init
+{{ tuple $envAll "neutron_openvswitch_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.ovs | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_ovs_agent" "container" "neutron_ovs_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ {{- if .Values.conf.ovs_dpdk.enabled }}
+ env:
+ - name: UPDATE_DPDK_BOND_CONFIG
+ valueFrom:
+ secretKeyRef:
+ name: {{ $configMapName }}
+ key: update_dpdk_bond_config
+ {{- end }}
+ command:
+ - /tmp/neutron-openvswitch-agent-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: neutron-bin
+ mountPath: /tmp/neutron-openvswitch-agent-init.sh
+ subPath: neutron-openvswitch-agent-init.sh
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+ subPath: ml2_conf.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+ subPath: openvswitch_agent.ini
+ readOnly: true
+ {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+ - name: neutron-etc
+ mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ {{- if .Values.conf.plugins.taas.taas.enabled }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/taas.ini
+ subPath: taas.ini
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+ subPath: neutron_sudoers
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /tmp/auto_bridge_add
+ subPath: auto_bridge_add
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- if .Values.conf.ovs_dpdk.enabled }}
+ - name: neutron-etc
+ mountPath: /tmp/dpdk.conf
+ subPath: dpdk.conf
+ readOnly: true
+ {{- end }}
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "ovs_agent" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+ - name: neutron-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ - name: run
+ mountPath: /run
+{{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }}
+ containers:
+ - name: neutron-ovs-agent
+{{ tuple $envAll "neutron_openvswitch_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.ovs | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: RPC_PROBE_TIMEOUT
+ value: "{{ .Values.pod.probes.rpc_timeout }}"
+ - name: RPC_PROBE_RETRIES
+ value: "{{ .Values.pod.probes.rpc_retries }}"
+{{ dict "envAll" $envAll "component" "ovs_agent" "container" "ovs_agent" "type" "readiness" "probeTemplate" (include "ovsAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs_agent" "container" "ovs_agent" "type" "liveness" "probeTemplate" (include "ovsAgentLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_ovs_agent" "container" "neutron_ovs_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/neutron-openvswitch-agent.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-var-neutron
+ mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+ - name: neutron-bin
+ mountPath: /tmp/neutron-openvswitch-agent.sh
+ subPath: neutron-openvswitch-agent.sh
+ readOnly: true
+ - name: neutron-bin
+ mountPath: /tmp/neutron-openvswitch-agent-readiness.sh
+ subPath: neutron-openvswitch-agent-readiness.sh
+ readOnly: true
+ - name: neutron-bin
+ mountPath: /tmp/health-probe.py
+ subPath: health-probe.py
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+ - name: neutron-etc
+ mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+ subPath: ml2_conf.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+ subPath: openvswitch_agent.ini
+ readOnly: true
+ {{- if .Values.conf.plugins.taas.taas.enabled }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/taas.ini
+ subPath: taas.ini
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+ subPath: neutron_sudoers
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "ovs_agent" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+ - name: neutron-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ - name: run
+ mountPath: /run
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-var-neutron
+ emptyDir: {}
+ - name: varlibopenvswitch
+ emptyDir: {}
+ - name: pod-shared
+ emptyDir: {}
+ - name: neutron-bin
+ configMap:
+ name: neutron-bin
+ defaultMode: 0555
+ - name: neutron-etc
+ secret:
+ secretName: {{ $configMapName }}
+ defaultMode: 0444
+ - name: run
+ hostPath:
+ path: /run
+ - name: host-rootfs
+ hostPath:
+ path: /
+{{- if .Values.conf.ovs_dpdk.enabled }}
+ - name: pci-devices
+ hostPath:
+ path: /sys/bus/pci/devices
+ type: Directory
+{{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_ovs_agent.volumes }}{{ toYaml $mounts_neutron_ovs_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if and .Values.manifests.daemonset_ovs_agent ( has "openvswitch" .Values.network.backend ) }}
+{{- $envAll := . }}
+{{- $daemonset := "ovs-agent" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-ovs-agent" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "ovs_agent" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.ovs_agent.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/daemonset-sriov-agent.yaml b/charts/neutron/templates/daemonset-sriov-agent.yaml
new file mode 100644
index 0000000..4bf0021
--- /dev/null
+++ b/charts/neutron/templates/daemonset-sriov-agent.yaml
@@ -0,0 +1,257 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "sriovAgentReadinessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/neutron/neutron.conf
+ - --config-file
+ - /etc/neutron/sriov_agent.ini
+{{- if .Values.pod.use_fqdn.neutron_agent }}
+ - --use-fqdn
+{{- end }}
+{{- end }}
+
+{{- define "neutron.sriov_agent.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_neutron_sriov_agent := .Values.pod.mounts.neutron_sriov_agent.neutron_sriov_agent }}
+{{- $mounts_neutron_sriov_agent_init := .Values.pod.mounts.neutron_sriov_agent.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: neutron-sriov-agent
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "neutron" "neutron-sriov-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll "neutron" "neutron-sriov-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "sriov_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "neutron" "neutron-sriov-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "neutron-sriov-agent-default" "containerNames" (list "neutron-sriov-agent-init" "init" "neutron-sriov-agent") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "neutron_sriov_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ nodeSelector:
+ {{ .Values.labels.sriov.node_selector_key }}: {{ .Values.labels.sriov.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ dnsPolicy: ClusterFirstWithHostNet
+ hostNetwork: true
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ shareProcessNamespace: true
+ {{- else }}
+ hostPID: true
+ {{- end }}
+ initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_sriov_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: neutron-sriov-agent-init
+{{ tuple $envAll "neutron_sriov_agent_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.sriov | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_sriov_agent" "container" "neutron_sriov_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/neutron-sriov-agent-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: neutron-bin
+ mountPath: /tmp/neutron-sriov-agent-init.sh
+ subPath: neutron-sriov-agent-init.sh
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+ subPath: ml2_conf.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/sriov_agent.ini
+ subPath: sriov_agent.ini
+ readOnly: true
+ {{- if .Values.conf.plugins.taas.taas.enabled }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/taas.ini
+ subPath: taas.ini
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+ subPath: neutron_sudoers
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "sriov_agent" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+ - name: neutron-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ - name: run
+ mountPath: /run
+{{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }}
+ containers:
+ - name: neutron-sriov-agent
+{{ tuple $envAll "neutron_sriov_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.agent.sriov | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_sriov_agent" "container" "neutron_sriov_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: RPC_PROBE_TIMEOUT
+ value: "{{ .Values.pod.probes.rpc_timeout }}"
+ - name: RPC_PROBE_RETRIES
+ value: "{{ .Values.pod.probes.rpc_retries }}"
+{{ dict "envAll" $envAll "component" "sriov_agent" "container" "sriov_agent" "type" "readiness" "probeTemplate" (include "sriovAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ command:
+ - /tmp/neutron-sriov-agent.sh
+ volumeMounts:
+ - mountPath: /sys/class/net
+ name: host-sys-class-net
+ - mountPath: /sys/devices
+ name: host-sys-devices
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-var-neutron
+ mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+ - name: neutron-bin
+ mountPath: /tmp/neutron-sriov-agent.sh
+ subPath: neutron-sriov-agent.sh
+ readOnly: true
+ - name: neutron-bin
+ mountPath: /tmp/health-probe.py
+ subPath: health-probe.py
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+ - name: neutron-etc
+ mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+ subPath: ml2_conf.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/sriov_agent.ini
+ subPath: sriov_agent.ini
+ readOnly: true
+ {{- if .Values.conf.plugins.taas.taas.enabled }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/taas.ini
+ subPath: taas.ini
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_neutron_sudoers
+ subPath: neutron_sudoers
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "sriov_agent" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
+ - name: neutron-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ - name: run
+ mountPath: /run
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: host-sys-class-net
+ hostPath:
+ path: /sys/class/net
+ - name: host-sys-devices
+ hostPath:
+ path: /sys/devices
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-var-neutron
+ emptyDir: {}
+ - name: pod-shared
+ emptyDir: {}
+ - name: neutron-bin
+ configMap:
+ name: neutron-bin
+ defaultMode: 0555
+ - name: neutron-etc
+ secret:
+ secretName: {{ $configMapName }}
+ defaultMode: 0444
+ - name: run
+ hostPath:
+ path: /run
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_sriov_agent.volumes }}{{ toYaml $mounts_neutron_sriov_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if and .Values.manifests.daemonset_sriov_agent ( has "sriov" .Values.network.backend ) }}
+{{- $envAll := . }}
+{{- $daemonset := "sriov-agent" }}
+{{- $configMapName := "neutron-etc" }}
+{{- $serviceAccountName := "neutron-sriov-agent" }}
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "sriov_agent" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.sriov_agent.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "neutron.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/neutron/templates/deployment-ironic-agent.yaml b/charts/neutron/templates/deployment-ironic-agent.yaml
new file mode 100644
index 0000000..431225f
--- /dev/null
+++ b/charts/neutron/templates/deployment-ironic-agent.yaml
@@ -0,0 +1,116 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_ironic_agent }}
+{{- $envAll := . }}
+
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "ironic_agent" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+
+{{- $mounts_neutron_ironic_agent := .Values.pod.mounts.neutron_ironic_agent.neutron_ironic_agent }}
+{{- $mounts_neutron_ironic_agent_init := .Values.pod.mounts.neutron_ironic_agent.init_container }}
+
+{{- $serviceAccountName := "neutron-ironic-agent" }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: neutron-ironic-agent
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "neutron" "ironic-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.ironic_agent }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "neutron" "ironic-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "neutron" "ironic-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+{{ dict "envAll" $envAll "application" "neutron_ironic_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "neutron" "ironic_agent" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.ironic_agent.node_selector_key }}: {{ .Values.labels.ironic_agent.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 8 }}
+{{ end }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.ironic_agent.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_ironic_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: neutron-ironic-agent
+{{ tuple $envAll "neutron_ironic_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ironic_agent | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_ironic_agent" "container" "neutron_ironic_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/neutron-ironic-agent.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/neutron-ironic-agent.sh
+ - stop
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-var-neutron
+ mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+ - name: neutron-bin
+ mountPath: /tmp/neutron-ironic-agent.sh
+ subPath: neutron-ironic-agent.sh
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+ - name: neutron-etc
+ mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+ subPath: ml2_conf.ini
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_ironic_agent.volumeMounts }}{{ toYaml $mounts_neutron_ironic_agent.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-var-neutron
+ emptyDir: {}
+ - name: neutron-bin
+ configMap:
+ name: neutron-bin
+ defaultMode: 0555
+ - name: neutron-etc
+ secret:
+ secretName: neutron-etc
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_ironic_agent.volumes }}{{ toYaml $mounts_neutron_ironic_agent.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/neutron/templates/deployment-server.yaml b/charts/neutron/templates/deployment-server.yaml
new file mode 100644
index 0000000..2e39a40
--- /dev/null
+++ b/charts/neutron/templates/deployment-server.yaml
@@ -0,0 +1,283 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "serverReadinessProbeTemplate" }}
+{{- if .Values.manifests.certificates }}
+exec:
+ command:
+ - python
+ - -c
+ - "import requests; requests.get('http://127.0.0.1:{{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
+initialDelaySeconds: 30
+{{- else }}
+httpGet:
+ scheme: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+ path: /
+ port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+{{- end }}
+{{- define "serverLivenessProbeTemplate" }}
+{{- if .Values.manifests.certificates }}
+exec:
+ command:
+ - python
+ - -c
+ - "import requests; requests.get('http://127.0.0.1:{{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
+initialDelaySeconds: 30
+{{- else }}
+httpGet:
+ scheme: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+ path: /
+ port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.deployment_server }}
+{{- $envAll := . }}
+
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "server" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+
+{{- $mounts_neutron_server := .Values.pod.mounts.neutron_server.neutron_server }}
+{{- $mounts_neutron_server_init := .Values.pod.mounts.neutron_server.init_container }}
+
+{{- $serviceAccountName := "neutron-server" }}
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: neutron-server
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.server }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "neutron-server" "containerNames" (list "neutron-server" "init" "nginx") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "neutron_server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.server.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_neutron_server_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ {{- if ( has "tungstenfabric" .Values.network.backend ) }}
+ - name: tungstenfabric-neutron-init
+ image: {{ .Values.images.tags.tf_neutron_init }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ securityContext:
+ runAsUser: {{ .Values.pod.security_context.neutron_server.pod.runAsUser }}
+ env:
+ - name: OPENSTACK_VERSION
+ value: "{{ .Values.conf.openstack_version }}"
+ volumeMounts:
+ - name: neutron-plugin-shared
+ mountPath: /opt/plugin
+ {{- end }}
+ containers:
+ {{- if $envAll.Values.manifests.certificates }}
+ - name: nginx
+{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_server" "container" "nginx" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ ports:
+ - name: q-api
+ containerPort: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ env:
+ - name: PORT
+ value: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SHORTNAME
+ value: {{ tuple "network" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
+ readinessProbe:
+ httpGet:
+ scheme: HTTPS
+ path: /
+ port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ command:
+ - /tmp/nginx.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/nginx.sh
+ - stop
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: neutron-bin
+ mountPath: /tmp/nginx.sh
+ subPath: nginx.sh
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/nginx/nginx.conf
+ subPath: nginx.conf
+ readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ {{- end }}
+ - name: neutron-server
+{{ tuple $envAll "neutron_server" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "neutron_server" "container" "neutron_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "server" "container" "server" "type" "readiness" "probeTemplate" (include "serverReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "server" "container" "server" "type" "liveness" "probeTemplate" (include "serverLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ command:
+ - /tmp/neutron-server.sh
+ - start
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+ env:
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/neutron/certs/ca.crt"
+{{- end }}
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/neutron-server.sh
+ - stop
+ ports:
+ - name: q-api
+ containerPort: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-var-neutron
+ mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }}
+ - name: neutron-bin
+ mountPath: /tmp/neutron-server.sh
+ subPath: neutron-server.sh
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/neutron.conf
+ subPath: neutron.conf
+ readOnly: true
+ {{- if .Values.conf.neutron.DEFAULT.log_config_append }}
+ - name: neutron-etc
+ mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/api_audit_map.conf
+ subPath: api_audit_map.conf
+ readOnly: true
+ {{- if( has "tungstenfabric" .Values.network.backend ) }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/tungstenfabric/tf_plugin.ini
+ subPath: tf_plugin.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/contrail/vnc_api_lib.ini
+ subPath: vnc_api_lib.ini
+ readOnly: true
+ - name: neutron-plugin-shared
+ mountPath: /opt/plugin
+ - name: neutron-bin
+ mountPath: /usr/local/lib/python2.7/site-packages/tf-plugin.pth
+ subPath: tf-plugin.pth
+ readOnly: true
+ - name: neutron-bin
+ mountPath: /var/lib/openstack/lib/python2.7/site-packages/tf-plugin.pth
+ subPath: tf-plugin.pth
+ readOnly: true
+ - name: neutron-bin
+ mountPath: /var/lib/openstack/lib/python3.6/site-packages/tf-plugin.pth
+ subPath: tf-plugin.pth
+ readOnly: true
+ {{- else }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+ subPath: ml2_conf.ini
+ readOnly: true
+ {{- end }}
+ {{ if ( has "sriov" .Values.network.backend ) }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/plugins/ml2/sriov_agent.ini
+ subPath: sriov_agent.ini
+ readOnly: true
+ {{ end }}
+ {{- if .Values.conf.plugins.taas.taas.enabled }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/taas_plugin.ini
+ subPath: taas_plugin.ini
+ readOnly: true
+ {{ end }}
+ {{- if .Values.conf.plugins.l2gateway }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/l2gw_plugin.ini
+ subPath: l2gw_plugin.ini
+ readOnly: true
+ {{ end }}
+ - name: neutron-etc
+ mountPath: /etc/neutron/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: neutron-etc
+ mountPath: /etc/neutron/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ {{- if .Values.manifests.certificates }}
+ - name: wsgi-neutron
+ emptyDir: {}
+ {{- end }}
+ - name: pod-var-neutron
+ emptyDir: {}
+ - name: neutron-bin
+ configMap:
+ name: neutron-bin
+ defaultMode: 0555
+ - name: neutron-etc
+ secret:
+ secretName: neutron-etc
+ defaultMode: 0444
+ {{- if ( has "tungstenfabric" .Values.network.backend ) }}
+ - name: neutron-plugin-shared
+ emptyDir: {}
+ {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/neutron/templates/ingress-server.yaml b/charts/neutron/templates/ingress-server.yaml
new file mode 100644
index 0000000..6e6eb73
--- /dev/null
+++ b/charts/neutron/templates/ingress-server.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_server .Values.network.server.ingress.public }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "server" "backendServiceType" "network" "backendPort" "q-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.network.server.internal -}}
+{{- if and .Values.manifests.certificates $secretName }}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.network.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end }}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-bootstrap.yaml b/charts/neutron/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..ff9dbe8
--- /dev/null
+++ b/charts/neutron/templates/job-bootstrap.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-db-drop.yaml b/charts/neutron/templates/job-db-drop.yaml
new file mode 100644
index 0000000..67d4174
--- /dev/null
+++ b/charts/neutron/templates/job-db-drop.yaml
@@ -0,0 +1,25 @@
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "neutron" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-db-init.yaml b/charts/neutron/templates/job-db-init.yaml
new file mode 100644
index 0000000..184ec97
--- /dev/null
+++ b/charts/neutron/templates/job-db-init.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "neutron" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-db-sync.yaml b/charts/neutron/templates/job-db-sync.yaml
new file mode 100644
index 0000000..1d22407
--- /dev/null
+++ b/charts/neutron/templates/job-db-sync.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "neutron" "podVolMounts" .Values.pod.mounts.neutron_db_sync.neutron_db_sync.volumeMounts "podVols" .Values.pod.mounts.neutron_db_sync.neutron_db_sync.volumes -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-image-repo-sync.yaml b/charts/neutron/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..890c57e
--- /dev/null
+++ b/charts/neutron/templates/job-image-repo-sync.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "neutron" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-ks-endpoints.yaml b/charts/neutron/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..ec76b71
--- /dev/null
+++ b/charts/neutron/templates/job-ks-endpoints.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksEndpointsJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksEndpointsJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksEndpointsJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $ksEndpointsJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksEndpointsJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-ks-service.yaml b/charts/neutron/templates/job-ks-service.yaml
new file mode 100644
index 0000000..e4225c6
--- /dev/null
+++ b/charts/neutron/templates/job-ks-service.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-ks-user.yaml b/charts/neutron/templates/job-ks-user.yaml
new file mode 100644
index 0000000..563ba7b
--- /dev/null
+++ b/charts/neutron/templates/job-ks-user.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/neutron/templates/job-rabbit-init.yaml b/charts/neutron/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..0d08170
--- /dev/null
+++ b/charts/neutron/templates/job-rabbit-init.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "neutron" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.neutron.enabled -}}
+{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/neutron/templates/network_policy.yaml b/charts/neutron/templates/network_policy.yaml
new file mode 100644
index 0000000..9eb4620
--- /dev/null
+++ b/charts/neutron/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "neutron" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/neutron/templates/pdb-server.yaml b/charts/neutron/templates/pdb-server.yaml
new file mode 100644
index 0000000..80f4c4d
--- /dev/null
+++ b/charts/neutron/templates/pdb-server.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_server }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: neutron-server
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.server.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/neutron/templates/pod-rally-test.yaml b/charts/neutron/templates/pod-rally-test.yaml
new file mode 100644
index 0000000..5ef57fa
--- /dev/null
+++ b/charts/neutron/templates/pod-rally-test.yaml
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
+{{- if .Values.manifests.pod_rally_test }}
+{{- $envAll := . }}
+
+{{- $mounts_tests := .Values.pod.mounts.neutron_tests.neutron_tests }}
+{{- $mounts_tests_init := .Values.pod.mounts.neutron_tests.init_container }}
+
+{{- $serviceAccountName := print .deployment_name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ print .deployment_name "-test" }}
+ annotations:
+ "helm.sh/hook": test-success
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "neutron" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{ dict "envAll" $envAll "podName" "neutron-test" "containerNames" (list "init" "neutron-test" "neutron-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+ nodeSelector:
+ {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.neutron.enabled }}
+{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }}
+{{ end }}
+ restartPolicy: Never
+ serviceAccountName: {{ $serviceAccountName }}
+ initContainers:
+{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+ - name: neutron-test-ks-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+ command:
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: neutron-bin
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: "test"
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: SERVICE_OS_ROLE
+ value: {{ .Values.endpoints.identity.auth.test.role | quote }}
+{{ if $envAll.Values.conf.rally_tests.force_project_purge }}
+ - name: {{ .deployment_name }}-reset
+{{ tuple $envAll "purge_test" | include "helm-toolkit.snippets.image" | indent 6 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: OS_TEST_PROJECT_NAME
+ value: {{ .Values.endpoints.identity.auth.test.project_name }}
+ - name: OS_TEST_PROJECT_DOMAIN_NAME
+ value: {{ .Values.endpoints.identity.auth.test.domain_name }}
+ - name: NETWORK_QUOTA
+ value: {{ (first (index .Values.conf.rally_tests.tests "NeutronNetworks.create_and_delete_networks")).context.quotas.neutron.network | quote }}
+ - name: PORT_QUOTA
+ value: {{ (first (index .Values.conf.rally_tests.tests "NeutronNetworks.create_and_delete_ports")).context.quotas.neutron.port | quote }}
+ - name: ROUTER_QUOTA
+ value: {{ (first (index .Values.conf.rally_tests.tests "NeutronNetworks.create_and_delete_routers")).context.quotas.neutron.router | quote }}
+ - name: SUBNET_QUOTA
+ value: {{ (first (index .Values.conf.rally_tests.tests "NeutronNetworks.create_and_delete_subnets")).context.quotas.neutron.subnet | quote }}
+ - name: SEC_GROUP_QUOTA
+ value: {{ (first (index .Values.conf.rally_tests.tests "NeutronSecurityGroup.create_and_list_security_groups")).context.quotas.neutron.security_group | quote }}
+ command:
+ - /tmp/neutron-test-force-cleanup.sh
+ volumeMounts:
+ - name: neutron-bin
+ mountPath: /tmp/neutron-test-force-cleanup.sh
+ subPath: neutron-test-force-cleanup.sh
+ readOnly: true
+ - name: pod-tmp
+ mountPath: /tmp/pod-tmp
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ end }}
+ containers:
+ - name: neutron-test
+{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: RALLY_ENV_NAME
+ value: {{.Release.Name}}
+ command:
+ - /tmp/rally-test.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: neutron-etc
+ mountPath: /etc/rally/rally_tests.yaml
+ subPath: rally_tests.yaml
+ readOnly: true
+ - name: neutron-bin
+ mountPath: /tmp/rally-test.sh
+ subPath: rally-test.sh
+ readOnly: true
+ - name: rally-db
+ mountPath: /var/lib/rally
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: neutron-etc
+ secret:
+ secretName: neutron-etc
+ defaultMode: 0444
+ - name: neutron-bin
+ configMap:
+ name: neutron-bin
+ defaultMode: 0555
+ - name: rally-db
+ emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/neutron/templates/secret-db.yaml b/charts/neutron/templates/secret-db.yaml
new file mode 100644
index 0000000..47d956f
--- /dev/null
+++ b/charts/neutron/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "neutron" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+ DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+ DB_CONNECTION: {{ $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/templates/secret-ingress-tls.yaml b/charts/neutron/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..0185c6a
--- /dev/null
+++ b/charts/neutron/templates/secret-ingress-tls.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "server" "backendServiceType" "network" ) }}
+{{- end }}
diff --git a/charts/neutron/templates/secret-keystone.yaml b/charts/neutron/templates/secret-keystone.yaml
new file mode 100644
index 0000000..3ce6865
--- /dev/null
+++ b/charts/neutron/templates/secret-keystone.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "neutron" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/templates/secret-registry.yaml b/charts/neutron/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/neutron/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/neutron/templates/secret_rabbitmq.yaml b/charts/neutron/templates/secret_rabbitmq.yaml
new file mode 100644
index 0000000..16c70e4
--- /dev/null
+++ b/charts/neutron/templates/secret_rabbitmq.yaml
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- $rabbitmqProtocol := "http" }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- $rabbitmqProtocol = "https" }}
+{{- end }}
+{{- range $key1, $userClass := tuple "admin" "neutron" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/neutron/templates/service-ingress-neutron.yaml b/charts/neutron/templates/service-ingress-neutron.yaml
new file mode 100644
index 0000000..86a53d9
--- /dev/null
+++ b/charts/neutron/templates/service-ingress-neutron.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_server .Values.network.server.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "network" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/neutron/templates/service-server.yaml b/charts/neutron/templates/service-server.yaml
new file mode 100644
index 0000000..8fcee66
--- /dev/null
+++ b/charts/neutron/templates/service-server.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_server }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "network" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: q-api
+ port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.server.node_port.enabled }}
+ nodePort: {{ .Values.network.server.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.server.node_port.enabled }}
+ type: NodePort
+ {{ if .Values.network.server.external_policy_local }}
+ externalTrafficPolicy: Local
+ {{ end }}
+ {{ end }}
+{{- end }}
diff --git a/charts/neutron/values.yaml b/charts/neutron/values.yaml
new file mode 100644
index 0000000..0fb2645
--- /dev/null
+++ b/charts/neutron/values.yaml
@@ -0,0 +1,2396 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for neutron.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+images:
+ tags:
+ bootstrap: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ test: docker.io/xrally/xrally-openstack:2.0.0
+ purge_test: docker.io/openstackhelm/ospurge:latest
+ db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ neutron_db_sync: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+ db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ rabbit_init: docker.io/rabbitmq:3.7-management
+ ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ neutron_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+ neutron_dhcp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+ neutron_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+ neutron_l3: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+ neutron_l2gw: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+ neutron_openvswitch_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+ neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+ neutron_sriov_agent: docker.io/openstackhelm/neutron:stein-18.04-sriov
+ neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov
+ neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+ neutron_ironic_agent: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+ neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ image_repo_sync: docker.io/docker:17.07.0
+ pull_policy: "IfNotPresent"
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+labels:
+ agent:
+ dhcp:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ l3:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ metadata:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ l2gw:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ job:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ lb:
+ node_selector_key: linuxbridge
+ node_selector_value: enabled
+ # openvswitch is a special case, requiring a special
+ # label that can apply to both control hosts
+ # and compute hosts, until we get more sophisticated
+ # with our daemonset scheduling
+ ovs:
+ node_selector_key: openvswitch
+ node_selector_value: enabled
+ sriov:
+ node_selector_key: sriov
+ node_selector_value: enabled
+ bagpipe_bgp:
+ node_selector_key: openstack-compute-node
+ node_selector_value: enabled
+ server:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ ironic_agent:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ netns_cleanup_cron:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ test:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+network:
+ # provide what type of network wiring will be used
+ backend:
+ - openvswitch
+ # NOTE(Portdirect): Share network namespaces with the host,
+ # allowing agents to be restarted without packet loss and simpler
+ # debugging. This feature requires mount propagation support.
+ share_namespaces: true
+ interface:
+ # Tunnel interface will be used for VXLAN tunneling.
+ tunnel: null
+ # If tunnel is null there is a fallback mechanism to search
+ # for interface with routing using tunnel network cidr.
+ tunnel_network_cidr: "0/0"
+ # To perform setup of network interfaces using the SR-IOV init
+ # container you can use a section similar to:
+ # sriov:
+ # - device: ${DEV}
+ # num_vfs: 8
+ # mtu: 9214
+ # promisc: false
+ # qos:
+ # - vf_num: 0
+ # share: 10
+ # queues_per_vf:
+ # - num_queues: 16
+ # exclude_vf: 0,11,21
+ server:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ external_policy_local: false
+ node_port:
+ enabled: false
+ port: 30096
+
+bootstrap:
+ enabled: false
+ ks_user: neutron
+ script: |
+ openstack token issue
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - neutron-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ targeted:
+ sriov: {}
+ l2gateway: {}
+ bagpipe_bgp: {}
+ openvswitch:
+ dhcp:
+ pod:
+ - requireSameNode: true
+ labels:
+ application: neutron
+ component: neutron-ovs-agent
+ l3:
+ pod:
+ - requireSameNode: true
+ labels:
+ application: neutron
+ component: neutron-ovs-agent
+ metadata:
+ pod:
+ - requireSameNode: true
+ labels:
+ application: neutron
+ component: neutron-ovs-agent
+ linuxbridge:
+ dhcp:
+ pod:
+ - requireSameNode: true
+ labels:
+ application: neutron
+ component: neutron-lb-agent
+ l3:
+ pod:
+ - requireSameNode: true
+ labels:
+ application: neutron
+ component: neutron-lb-agent
+ metadata:
+ pod:
+ - requireSameNode: true
+ labels:
+ application: neutron
+ component: neutron-lb-agent
+ lb_agent:
+ pod: null
+ static:
+ bootstrap:
+ services:
+ - endpoint: internal
+ service: network
+ - endpoint: internal
+ service: compute
+ db_drop:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_init:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_sync:
+ jobs:
+ - neutron-db-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ dhcp:
+ pod: null
+ jobs:
+ - neutron-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: network
+ - endpoint: internal
+ service: compute
+ ks_endpoints:
+ jobs:
+ - neutron-ks-service
+ services:
+ - endpoint: internal
+ service: identity
+ ks_service:
+ services:
+ - endpoint: internal
+ service: identity
+ ks_user:
+ services:
+ - endpoint: internal
+ service: identity
+ rabbit_init:
+ services:
+ - service: oslo_messaging
+ endpoint: internal
+ l3:
+ pod: null
+ jobs:
+ - neutron-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: network
+ - endpoint: internal
+ service: compute
+ lb_agent:
+ pod: null
+ jobs:
+ - neutron-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: network
+ metadata:
+ pod: null
+ jobs:
+ - neutron-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: network
+ - endpoint: internal
+ service: compute
+ - endpoint: public
+ service: compute_metadata
+ ovs_agent:
+ jobs:
+ - neutron-rabbit-init
+ pod:
+ - requireSameNode: true
+ labels:
+ application: openvswitch
+ component: server
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: network
+ server:
+ jobs:
+ - neutron-db-sync
+ - neutron-ks-user
+ - neutron-ks-endpoints
+ - neutron-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: identity
+ ironic_agent:
+ jobs:
+ - neutron-db-sync
+ - neutron-ks-user
+ - neutron-ks-endpoints
+ - neutron-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: identity
+ tests:
+ services:
+ - endpoint: internal
+ service: network
+ - endpoint: internal
+ service: compute
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+
+pod:
+ use_fqdn:
+ neutron_agent: true
+ probes:
+ rpc_timeout: 60
+ rpc_retries: 2
+ dhcp_agent:
+ dhcp_agent:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ periodSeconds: 190
+ timeoutSeconds: 185
+ liveness:
+ enabled: true
+ params:
+ initialDelaySeconds: 120
+ periodSeconds: 600
+ timeoutSeconds: 580
+ l3_agent:
+ l3_agent:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ periodSeconds: 190
+ timeoutSeconds: 185
+ liveness:
+ enabled: true
+ params:
+ initialDelaySeconds: 120
+ periodSeconds: 600
+ timeoutSeconds: 580
+ lb_agent:
+ lb_agent:
+ readiness:
+ enabled: true
+ metadata_agent:
+ metadata_agent:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ periodSeconds: 190
+ timeoutSeconds: 185
+ liveness:
+ enabled: true
+ params:
+ initialDelaySeconds: 120
+ periodSeconds: 600
+ timeoutSeconds: 580
+ ovs_agent:
+ ovs_agent:
+ readiness:
+ enabled: true
+ params:
+ liveness:
+ enabled: true
+ params:
+ initialDelaySeconds: 120
+ periodSeconds: 600
+ timeoutSeconds: 580
+ sriov_agent:
+ sriov_agent:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ periodSeconds: 190
+ timeoutSeconds: 185
+ bagpipe_bgp:
+ bagpipe_bgp:
+ readiness:
+ enabled: true
+ params:
+ liveness:
+ enabled: true
+ params:
+ initialDelaySeconds: 60
+ l2gw_agent:
+ l2gw_agent:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ periodSeconds: 15
+ timeoutSeconds: 65
+ liveness:
+ enabled: true
+ params:
+ initialDelaySeconds: 120
+ periodSeconds: 90
+ timeoutSeconds: 70
+ server:
+ server:
+ readiness:
+ enabled: true
+ params:
+ liveness:
+ enabled: true
+ params:
+ initialDelaySeconds: 60
+ security_context:
+ neutron_dhcp_agent:
+ pod:
+ runAsUser: 42424
+ container:
+ neutron_dhcp_agent:
+ readOnlyRootFilesystem: true
+ privileged: true
+ neutron_l2gw_agent:
+ pod:
+ runAsUser: 42424
+ container:
+ neutron_l2gw_agent:
+ readOnlyRootFilesystem: true
+ privileged: true
+ neutron_bagpipe_bgp:
+ pod:
+ runAsUser: 42424
+ container:
+ neutron_bagpipe_bgp:
+ readOnlyRootFilesystem: true
+ privileged: true
+ neutron_l3_agent:
+ pod:
+ runAsUser: 42424
+ container:
+ neutron_l3_agent:
+ readOnlyRootFilesystem: true
+ privileged: true
+ neutron_lb_agent:
+ pod:
+ runAsUser: 42424
+ container:
+ neutron_lb_agent_kernel_modules:
+ capabilities:
+ add:
+ - SYS_MODULE
+ - SYS_CHROOT
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ neutron_lb_agent_init:
+ privileged: true
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ neutron_lb_agent:
+ readOnlyRootFilesystem: true
+ privileged: true
+ neutron_metadata_agent:
+ pod:
+ runAsUser: 42424
+ container:
+ neutron_metadata_agent_init:
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ neutron_ovs_agent:
+ pod:
+ runAsUser: 42424
+ container:
+ neutron_openvswitch_agent_kernel_modules:
+ capabilities:
+ add:
+ - SYS_MODULE
+ - SYS_CHROOT
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ neutron_ovs_agent_init:
+ privileged: true
+ runAsUser: 0
+ readOnlyRootFilesystem: true
+ neutron_ovs_agent:
+ readOnlyRootFilesystem: true
+ privileged: true
+ neutron_server:
+ pod:
+ runAsUser: 42424
+ container:
+ nginx:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+ neutron_server:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ neutron_sriov_agent:
+ pod:
+ runAsUser: 42424
+ container:
+ neutron_sriov_agent_init:
+ privileged: true
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+ neutron_sriov_agent:
+ readOnlyRootFilesystem: true
+ privileged: true
+ neutron_ironic_agent:
+ pod:
+ runAsUser: 42424
+ container:
+ neutron_ironic_agent:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ neutron_netns_cleanup_cron:
+ pod:
+ runAsUser: 42424
+ container:
+ neutron_netns_cleanup_cron:
+ readOnlyRootFilesystem: true
+ privileged: true
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ weight:
+ default: 10
+ tolerations:
+ neutron:
+ enabled: false
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ effect: NoSchedule
+ mounts:
+ neutron_server:
+ init_container: null
+ neutron_server:
+ volumeMounts:
+ volumes:
+ neutron_dhcp_agent:
+ init_container: null
+ neutron_dhcp_agent:
+ volumeMounts:
+ volumes:
+ neutron_l3_agent:
+ init_container: null
+ neutron_l3_agent:
+ volumeMounts:
+ volumes:
+ neutron_lb_agent:
+ init_container: null
+ neutron_lb_agent:
+ volumeMounts:
+ volumes:
+ neutron_metadata_agent:
+ init_container: null
+ neutron_metadata_agent:
+ volumeMounts:
+ volumes:
+ neutron_ovs_agent:
+ init_container: null
+ neutron_ovs_agent:
+ volumeMounts:
+ volumes:
+ neutron_sriov_agent:
+ init_container: null
+ neutron_sriov_agent:
+ volumeMounts:
+ volumes:
+ neutron_l2gw_agent:
+ init_container: null
+ neutron_l2gw_agent:
+ volumeMounts:
+ volumes:
+ bagpipe_bgp:
+ init_container: null
+ bagpipe_bgp:
+ volumeMounts:
+ volumes:
+ neutron_ironic_agent:
+ init_container: null
+ neutron_ironic_agent:
+ volumeMounts:
+ volumes:
+ neutron_netns_cleanup_cron:
+ init_container: null
+ neutron_netns_cleanup_cron:
+ volumeMounts:
+ volumes:
+ neutron_tests:
+ init_container: null
+ neutron_tests:
+ volumeMounts:
+ volumes:
+ neutron_bootstrap:
+ init_container: null
+ neutron_bootstrap:
+ volumeMounts:
+ volumes:
+ neutron_db_sync:
+ neutron_db_sync:
+ volumeMounts:
+ - name: db-sync-conf
+ mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
+ subPath: ml2_conf.ini
+ readOnly: true
+ volumes:
+ replicas:
+ server: 1
+ ironic_agent: 1
+ lifecycle:
+ upgrades:
+ deployments:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+ daemonsets:
+ pod_replacement_strategy: RollingUpdate
+ dhcp_agent:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ l3_agent:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ lb_agent:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ metadata_agent:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ ovs_agent:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ sriov_agent:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ netns_cleanup_cron:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ disruption_budget:
+ server:
+ min_available: 0
+ termination_grace_period:
+ server:
+ timeout: 30
+ ironic_agent:
+ timeout: 30
+ resources:
+ enabled: false
+ agent:
+ dhcp:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ l3:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ lb:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ metadata:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ovs:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ sriov:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ l2gw:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ bagpipe_bgp:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ server:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ironic_agent:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ netns_cleanup_cron:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ bootstrap:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ rabbit_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_drop:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_endpoints:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_service:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_user:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ tests:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+
+conf:
+ rally_tests:
+ force_project_purge: false
+ run_tempest: false
+ clean_up: |
+ # NOTE: We will make the best effort to clean up rally generated networks and routers,
+ # but should not block further automated deployment.
+ set +e
+ PATTERN="^[sc]_rally_"
+
+ ROUTERS=$(openstack router list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
+ NETWORKS=$(openstack network list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
+
+ for ROUTER in $ROUTERS
+ do
+ openstack router unset --external-gateway $ROUTER
+ openstack router set --disable --no-ha $ROUTER
+
+ SUBNS=$(openstack router show $ROUTER -c interfaces_info --format=value | python -m json.tool | grep -oP '(?<="subnet_id": ")[a-f0-9\-]{36}(?=")' | sort | uniq)
+ for SUBN in $SUBNS
+ do
+ openstack router remove subnet $ROUTER $SUBN
+ done
+
+ for PORT in $(openstack port list --router $ROUTER --format=value -c ID | tr -d '\r')
+ do
+ openstack router remove port $ROUTER $PORT
+ done
+
+ openstack router delete $ROUTER
+ done
+
+ for NETWORK in $NETWORKS
+ do
+ for PORT in $(openstack port list --network $NETWORK --format=value -c ID | tr -d '\r')
+ do
+ openstack port delete $PORT
+ done
+ openstack network delete $NETWORK
+ done
+ set -e
+ tests:
+ NeutronNetworks.create_and_delete_networks:
+ - args:
+ network_create_args: {}
+ context:
+ quotas:
+ neutron:
+ network: -1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NeutronNetworks.create_and_delete_ports:
+ - args:
+ network_create_args: {}
+ port_create_args: {}
+ ports_per_network: 10
+ context:
+ network: {}
+ quotas:
+ neutron:
+ network: -1
+ port: -1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NeutronNetworks.create_and_delete_routers:
+ - args:
+ network_create_args: {}
+ router_create_args: {}
+ subnet_cidr_start: 1.1.0.0/30
+ subnet_create_args: {}
+ subnets_per_network: 2
+ context:
+ network: {}
+ quotas:
+ neutron:
+ network: -1
+ router: -1
+ subnet: -1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NeutronNetworks.create_and_delete_subnets:
+ - args:
+ network_create_args: {}
+ subnet_cidr_start: 1.1.0.0/30
+ subnet_create_args: {}
+ subnets_per_network: 2
+ context:
+ network: {}
+ quotas:
+ neutron:
+ network: -1
+ subnet: -1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NeutronNetworks.create_and_list_routers:
+ - args:
+ network_create_args: {}
+ router_create_args: {}
+ subnet_cidr_start: 1.1.0.0/30
+ subnet_create_args: {}
+ subnets_per_network: 2
+ context:
+ network: {}
+ quotas:
+ neutron:
+ network: -1
+ router: -1
+ subnet: -1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NeutronNetworks.create_and_list_subnets:
+ - args:
+ network_create_args: {}
+ subnet_cidr_start: 1.1.0.0/30
+ subnet_create_args: {}
+ subnets_per_network: 2
+ context:
+ network: {}
+ quotas:
+ neutron:
+ network: -1
+ subnet: -1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NeutronNetworks.create_and_show_network:
+ - args:
+ network_create_args: {}
+ context:
+ quotas:
+ neutron:
+ network: -1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NeutronNetworks.create_and_update_networks:
+ - args:
+ network_create_args: {}
+ network_update_args:
+ admin_state_up: false
+ context:
+ quotas:
+ neutron:
+ network: -1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NeutronNetworks.create_and_update_ports:
+ - args:
+ network_create_args: {}
+ port_create_args: {}
+ port_update_args:
+ admin_state_up: false
+ device_id: dummy_id
+ device_owner: dummy_owner
+ ports_per_network: 5
+ context:
+ network: {}
+ quotas:
+ neutron:
+ network: -1
+ port: -1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NeutronNetworks.create_and_update_routers:
+ - args:
+ network_create_args: {}
+ router_create_args: {}
+ router_update_args:
+ admin_state_up: false
+ subnet_cidr_start: 1.1.0.0/30
+ subnet_create_args: {}
+ subnets_per_network: 2
+ context:
+ network: {}
+ quotas:
+ neutron:
+ network: -1
+ router: -1
+ subnet: -1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NeutronNetworks.create_and_update_subnets:
+ - args:
+ network_create_args: {}
+ subnet_cidr_start: 1.4.0.0/16
+ subnet_create_args: {}
+ subnet_update_args:
+ enable_dhcp: false
+ subnets_per_network: 2
+ context:
+ network: {}
+ quotas:
+ neutron:
+ network: -1
+ subnet: -1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NeutronNetworks.list_agents:
+ - args:
+ agent_args: {}
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NeutronSecurityGroup.create_and_list_security_groups:
+ - args:
+ security_group_create_args: {}
+ context:
+ quotas:
+ neutron:
+ security_group: -1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NeutronSecurityGroup.create_and_update_security_groups:
+ - args:
+ security_group_create_args: {}
+ security_group_update_args: {}
+ context:
+ quotas:
+ neutron:
+ security_group: -1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ paste:
+ composite:neutron:
+ use: egg:Paste#urlmap
+ /: neutronversions_composite
+ /v2.0: neutronapi_v2_0
+ composite:neutronapi_v2_0:
+ use: call:neutron.auth:pipeline_factory
+ noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
+ keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
+ composite:neutronversions_composite:
+ use: call:neutron.auth:pipeline_factory
+ noauth: cors http_proxy_to_wsgi neutronversions
+ keystone: cors http_proxy_to_wsgi neutronversions
+ filter:request_id:
+ paste.filter_factory: oslo_middleware:RequestId.factory
+ filter:catch_errors:
+ paste.filter_factory: oslo_middleware:CatchErrors.factory
+ filter:cors:
+ paste.filter_factory: oslo_middleware.cors:filter_factory
+ oslo_config_project: neutron
+ filter:http_proxy_to_wsgi:
+ paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+ filter:keystonecontext:
+ paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
+ filter:authtoken:
+ paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+ filter:audit:
+ paste.filter_factory: keystonemiddleware.audit:filter_factory
+ audit_map_file: /etc/neutron/api_audit_map.conf
+ filter:extensions:
+ paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
+ app:neutronversions:
+ paste.app_factory: neutron.pecan_wsgi.app:versions_factory
+ app:neutronapiapp_v2_0:
+ paste.app_factory: neutron.api.v2.router:APIRouter.factory
+ filter:osprofiler:
+ paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
+ policy: {}
+ api_audit_map:
+ DEFAULT:
+ target_endpoint_type: None
+ custom_actions:
+ add_router_interface: update/add
+ remove_router_interface: update/remove
+ path_keywords:
+ floatingips: ip
+ healthmonitors: healthmonitor
+ health_monitors: health_monitor
+ lb: None
+ members: member
+ metering-labels: label
+ metering-label-rules: rule
+ networks: network
+ pools: pool
+ ports: port
+ routers: router
+ quotas: quota
+ security-groups: security-group
+ security-group-rules: rule
+ subnets: subnet
+ vips: vip
+ service_endpoints:
+ network: service/network
+ neutron_sudoers: |
+ # This sudoers file supports rootwrap for both Kolla and LOCI Images.
+ Defaults !requiretty
+ Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
+ neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
+ neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf, /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
+ rootwrap: |
+ # Configuration for neutron-rootwrap
+ # This file should be owned by (and only-writeable by) the root user
+
+ [DEFAULT]
+ # List of directories to load filter definitions from (separated by ',').
+ # These directories MUST all be only writeable by root !
+ filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap,/var/lib/openstack/etc/neutron/rootwrap.d
+
+ # List of directories to search executables in, in case filters do not
+ # explicitely specify a full path (separated by ',')
+ # If not specified, defaults to system PATH environment variable.
+ # These directories MUST all be only writeable by root !
+ exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
+
+ # Enable logging to syslog
+ # Default value is False
+ use_syslog=False
+
+ # Which syslog facility to use.
+ # Valid values include auth, authpriv, syslog, local0, local1...
+ # Default value is 'syslog'
+ syslog_log_facility=syslog
+
+ # Which messages to log.
+ # INFO means log all usage
+ # ERROR means only log unsuccessful attempts
+ syslog_log_level=ERROR
+
+ [xenapi]
+ # XenAPI configuration is only required by the L2 agent if it is to
+ # target a XenServer/XCP compute host's dom0.
+ xenapi_connection_url=<None>
+ xenapi_connection_username=root
+ xenapi_connection_password=<None>
+ rootwrap_filters:
+ debug:
+ pods:
+ - dhcp_agent
+ - l3_agent
+ - lb_agent
+ - metadata_agent
+ - ovs_agent
+ - sriov_agent
+ content: |
+ # neutron-rootwrap command filters for nodes on which neutron is
+ # expected to control network
+ #
+ # This file should be owned by (and only-writeable by) the root user
+
+ # format seems to be
+ # cmd-name: filter-name, raw-command, user, args
+
+ [Filters]
+
+ # This is needed because we should ping
+ # from inside a namespace which requires root
+ # _alt variants allow to match -c and -w in any order
+ # (used by NeutronDebugAgent.ping_all)
+ ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
+ ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
+ ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
+ ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
+ dibbler:
+ pods:
+ - dhcp_agent
+ - l3_agent
+ - lb_agent
+ - metadata_agent
+ - ovs_agent
+ - sriov_agent
+ content: |
+ # neutron-rootwrap command filters for nodes on which neutron is
+ # expected to control network
+ #
+ # This file should be owned by (and only-writeable by) the root user
+
+ # format seems to be
+ # cmd-name: filter-name, raw-command, user, args
+
+ [Filters]
+
+ # Filters for the dibbler-based reference implementation of the pluggable
+ # Prefix Delegation driver. Other implementations using an alternative agent
+ # should include a similar filter in this folder.
+
+ # prefix_delegation_agent
+ dibbler-client: CommandFilter, dibbler-client, root
+ ipset_firewall:
+ pods:
+ - dhcp_agent
+ - l3_agent
+ - lb_agent
+ - metadata_agent
+ - ovs_agent
+ - sriov_agent
+ content: |
+ # neutron-rootwrap command filters for nodes on which neutron is
+ # expected to control network
+ #
+ # This file should be owned by (and only-writeable by) the root user
+
+ # format seems to be
+ # cmd-name: filter-name, raw-command, user, args
+
+ [Filters]
+ # neutron/agent/linux/iptables_firewall.py
+ # "ipset", "-A", ...
+ ipset: CommandFilter, ipset, root
+ l3:
+ pods:
+ - dhcp_agent
+ - l3_agent
+ - lb_agent
+ - metadata_agent
+ - ovs_agent
+ - sriov_agent
+ content: |
+ # neutron-rootwrap command filters for nodes on which neutron is
+ # expected to control network
+ #
+ # This file should be owned by (and only-writeable by) the root user
+
+ # format seems to be
+ # cmd-name: filter-name, raw-command, user, args
+
+ [Filters]
+
+ # arping
+ arping: CommandFilter, arping, root
+
+ # l3_agent
+ sysctl: CommandFilter, sysctl, root
+ route: CommandFilter, route, root
+ radvd: CommandFilter, radvd, root
+
+ # haproxy
+ haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
+ kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
+
+ # metadata proxy
+ metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
+ # RHEL invocation of the metadata proxy will report /usr/bin/python
+ kill_metadata: KillFilter, root, python, -15, -9
+ kill_metadata2: KillFilter, root, python2, -15, -9
+ kill_metadata7: KillFilter, root, python2.7, -15, -9
+ kill_metadata3: KillFilter, root, python3, -15, -9
+ kill_metadata35: KillFilter, root, python3.5, -15, -9
+ kill_metadata36: KillFilter, root, python3.6, -15, -9
+ kill_metadata37: KillFilter, root, python3.7, -15, -9
+ kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
+ kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
+
+ # ip_lib
+ ip: IpFilter, ip, root
+ find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
+ ip_exec: IpNetnsExecFilter, ip, root
+
+ # l3_tc_lib
+ l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
+ l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress
+ l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb
+ l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
+ l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
+ l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1
+ l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1
+
+ # For ip monitor
+ kill_ip_monitor: KillFilter, root, ip, -9
+
+ # ovs_lib (if OVSInterfaceDriver is used)
+ ovs-vsctl: CommandFilter, ovs-vsctl, root
+
+ # iptables_manager
+ iptables-save: CommandFilter, iptables-save, root
+ iptables-restore: CommandFilter, iptables-restore, root
+ ip6tables-save: CommandFilter, ip6tables-save, root
+ ip6tables-restore: CommandFilter, ip6tables-restore, root
+
+ # Keepalived
+ keepalived: CommandFilter, keepalived, root
+ kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
+
+ # l3 agent to delete floatingip's conntrack state
+ conntrack: CommandFilter, conntrack, root
+
+ # keepalived state change monitor
+ keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
+ # The following filters are used to kill the keepalived state change monitor.
+ # Since the monitor runs as a Python script, the system reports that the
+ # command of the process to be killed is python.
+ # TODO(mlavalle) These kill filters will be updated once we come up with a
+ # mechanism to kill using the name of the script being executed by Python
+ kill_keepalived_monitor_py: KillFilter, root, python, -15
+ kill_keepalived_monitor_py27: KillFilter, root, python2.7, -15
+ kill_keepalived_monitor_py3: KillFilter, root, python3, -15
+ kill_keepalived_monitor_py35: KillFilter, root, python3.5, -15
+ kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15
+ kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15
+ netns_cleanup:
+ pods:
+ - dhcp_agent
+ - l3_agent
+ - lb_agent
+ - metadata_agent
+ - ovs_agent
+ - sriov_agent
+ - netns_cleanup_cron
+ content: |
+ # neutron-rootwrap command filters for nodes on which neutron is
+ # expected to control network
+ #
+ # This file should be owned by (and only-writeable by) the root user
+
+ # format seems to be
+ # cmd-name: filter-name, raw-command, user, args
+
+ [Filters]
+
+ # netns-cleanup
+ netstat: CommandFilter, netstat, root
+ dhcp:
+ pods:
+ - dhcp_agent
+ - l3_agent
+ - lb_agent
+ - metadata_agent
+ - ovs_agent
+ - sriov_agent
+ - netns_cleanup_cron
+ content: |
+ # neutron-rootwrap command filters for nodes on which neutron is
+ # expected to control network
+ #
+ # This file should be owned by (and only-writeable by) the root user
+
+ # format seems to be
+ # cmd-name: filter-name, raw-command, user, args
+
+ [Filters]
+
+ # dhcp-agent
+ dnsmasq: CommandFilter, dnsmasq, root
+ # dhcp-agent uses kill as well, that's handled by the generic KillFilter
+ # it looks like these are the only signals needed, per
+ # neutron/agent/linux/dhcp.py
+ kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
+ kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
+
+ ovs-vsctl: CommandFilter, ovs-vsctl, root
+ ivs-ctl: CommandFilter, ivs-ctl, root
+ mm-ctl: CommandFilter, mm-ctl, root
+ dhcp_release: CommandFilter, dhcp_release, root
+ dhcp_release6: CommandFilter, dhcp_release6, root
+
+ # metadata proxy
+ metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
+ # RHEL invocation of the metadata proxy will report /usr/bin/python
+ kill_metadata: KillFilter, root, python, -9
+ kill_metadata2: KillFilter, root, python2, -9
+ kill_metadata7: KillFilter, root, python2.7, -9
+ kill_metadata3: KillFilter, root, python3, -9
+ kill_metadata35: KillFilter, root, python3.5, -9
+ kill_metadata36: KillFilter, root, python3.6, -9
+ kill_metadata37: KillFilter, root, python3.7, -9
+
+ # ip_lib
+ ip: IpFilter, ip, root
+ find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
+ ip_exec: IpNetnsExecFilter, ip, root
+ ebtables:
+ pods:
+ - dhcp_agent
+ - l3_agent
+ - lb_agent
+ - metadata_agent
+ - ovs_agent
+ - sriov_agent
+ content: |
+ # neutron-rootwrap command filters for nodes on which neutron is
+ # expected to control network
+ #
+ # This file should be owned by (and only-writeable by) the root user
+
+ # format seems to be
+ # cmd-name: filter-name, raw-command, user, args
+
+ [Filters]
+
+ ebtables: CommandFilter, ebtables, root
+ iptables_firewall:
+ pods:
+ - dhcp_agent
+ - l3_agent
+ - lb_agent
+ - metadata_agent
+ - ovs_agent
+ - sriov_agent
+ content: |
+ # neutron-rootwrap command filters for nodes on which neutron is
+ # expected to control network
+ #
+ # This file should be owned by (and only-writeable by) the root user
+
+ # format seems to be
+ # cmd-name: filter-name, raw-command, user, args
+
+ [Filters]
+
+ # neutron/agent/linux/iptables_firewall.py
+ # "iptables-save", ...
+ iptables-save: CommandFilter, iptables-save, root
+ iptables-restore: CommandFilter, iptables-restore, root
+ ip6tables-save: CommandFilter, ip6tables-save, root
+ ip6tables-restore: CommandFilter, ip6tables-restore, root
+
+ # neutron/agent/linux/iptables_firewall.py
+ # "iptables", "-A", ...
+ iptables: CommandFilter, iptables, root
+ ip6tables: CommandFilter, ip6tables, root
+
+ # neutron/agent/linux/iptables_firewall.py
+ sysctl: CommandFilter, sysctl, root
+
+ # neutron/agent/linux/ip_conntrack.py
+ conntrack: CommandFilter, conntrack, root
+ linuxbridge_plugin:
+ pods:
+ - dhcp_agent
+ - l3_agent
+ - lb_agent
+ - metadata_agent
+ - ovs_agent
+ - sriov_agent
+ content: |
+ # neutron-rootwrap command filters for nodes on which neutron is
+ # expected to control network
+ #
+ # This file should be owned by (and only-writeable by) the root user
+
+ # format seems to be
+ # cmd-name: filter-name, raw-command, user, args
+
+ [Filters]
+
+ # linuxbridge-agent
+ # unclear whether both variants are necessary, but I'm transliterating
+ # from the old mechanism
+ brctl: CommandFilter, brctl, root
+ bridge: CommandFilter, bridge, root
+
+ # ip_lib
+ ip: IpFilter, ip, root
+ find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
+ ip_exec: IpNetnsExecFilter, ip, root
+
+ # tc commands needed for QoS support
+ tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
+ tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
+ tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
+ tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
+ tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
+ tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
+ openvswitch_plugin:
+ pods:
+ - dhcp_agent
+ - l3_agent
+ - lb_agent
+ - metadata_agent
+ - ovs_agent
+ - sriov_agent
+ content: |
+ # neutron-rootwrap command filters for nodes on which neutron is
+ # expected to control network
+ #
+ # This file should be owned by (and only-writeable by) the root user
+
+ # format seems to be
+ # cmd-name: filter-name, raw-command, user, args
+
+ [Filters]
+
+ # openvswitch-agent
+ # unclear whether both variants are necessary, but I'm transliterating
+ # from the old mechanism
+ ovs-vsctl: CommandFilter, ovs-vsctl, root
+ # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
+ ovs-ofctl: CommandFilter, ovs-ofctl, root
+ ovs-appctl: CommandFilter, ovs-appctl, root
+ kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
+ ovsdb-client: CommandFilter, ovsdb-client, root
+ xe: CommandFilter, xe, root
+
+ # ip_lib
+ ip: IpFilter, ip, root
+ find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
+ ip_exec: IpNetnsExecFilter, ip, root
+
+ # needed for FDB extension
+ bridge: CommandFilter, bridge, root
+ privsep:
+ pods:
+ - dhcp_agent
+ - l3_agent
+ - lb_agent
+ - metadata_agent
+ - ovs_agent
+ - sriov_agent
+ - netns_cleanup_cron
+ content: |
+ # Command filters to allow privsep daemon to be started via rootwrap.
+ #
+ # This file should be owned by (and only-writeable by) the root user
+
+ [Filters]
+
+ # By installing the following, the local admin is asserting that:
+ #
+ # 1. The python module load path used by privsep-helper
+ # command as root (as started by sudo/rootwrap) is trusted.
+ # 2. Any oslo.config files matching the --config-file
+ # arguments below are trusted.
+ # 3. Users allowed to run sudo/rootwrap with this configuration(*) are
+ # also allowed to invoke python "entrypoint" functions from
+ # --privsep_context with the additional (possibly root) privileges
+ # configured for that context.
+ #
+ # (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
+ #
+ # In particular, the oslo.config and python module path must not
+ # be writeable by the unprivileged user.
+
+ # oslo.privsep default neutron context
+ privsep: PathFilter, privsep-helper, root,
+ --config-file, /etc,
+ --privsep_context, neutron.privileged.default,
+ --privsep_sock_path, /
+
+ # NOTE: A second `--config-file` arg can also be added above. Since
+ # many neutron components are installed like that (eg: by devstack).
+ # Adjust to suit local requirements.
+ linux_vxlan:
+ pods:
+ - bagpipe_bgp
+ content: |
+ # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
+ # expected to control VXLAN Linux Bridge dataplane
+ #
+ # This file should be owned by (and only-writeable by) the root user
+
+ # format seems to be
+ # cmd-name: filter-name, raw-command, user, args
+
+ [Filters]
+
+ #
+ modprobe: CommandFilter, modprobe, root
+
+ #
+ brctl: CommandFilter, brctl, root
+ bridge: CommandFilter, bridge, root
+
+ # ip_lib
+ ip: IpFilter, ip, root
+ ip_exec: IpNetnsExecFilter, ip, root
+
+ # shell (for piped commands)
+ sh: CommandFilter, sh, root
+ mpls_ovs_dataplane:
+ pods:
+ - bagpipe_bgp
+ content: |
+ # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
+ # expected to control MPLS OpenVSwitch dataplane
+ #
+ # This file should be owned by (and only-writeable by) the root user
+
+ # format seems to be
+ # cmd-name: filter-name, raw-command, user, args
+
+ [Filters]
+
+ # openvswitch
+ ovs-vsctl: CommandFilter, ovs-vsctl, root
+ ovs-ofctl: CommandFilter, ovs-ofctl, root
+
+ # ip_lib
+ ip: IpFilter, ip, root
+ ip_exec: IpNetnsExecFilter, ip, root
+
+ # shell (for piped commands)
+ sh: CommandFilter, sh, root
+ neutron:
+ DEFAULT:
+ metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
+ log_config_append: /etc/neutron/logging.conf
+ # NOTE(portdirect): the bind port should not be defined, and is manipulated
+ # via the endpoints section.
+ bind_port: null
+ default_availability_zones: nova
+ api_workers: 1
+ rpc_workers: 4
+ allow_overlapping_ips: True
+ state_path: /var/lib/neutron
+ # core_plugin can be: ml2, calico
+ core_plugin: ml2
+ # service_plugin can be: router, odl-router, empty for calico,
+ # networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
+ service_plugins: router
+ allow_automatic_l3agent_failover: True
+ l3_ha: True
+ max_l3_agents_per_router: 2
+ l3_ha_network_type: vxlan
+ network_auto_schedule: True
+ router_auto_schedule: True
+ # (NOTE)portdirect: if unset this is populated dynamically from the value in
+ # 'network.backend' to sane defaults.
+ interface_driver: null
+ oslo_concurrency:
+ lock_path: /var/lib/neutron/tmp
+ database:
+ max_retries: -1
+ agent:
+ root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
+ root_helper_daemon: sudo /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
+ oslo_messaging_notifications:
+ driver: messagingv2
+ oslo_messaging_rabbit:
+ rabbit_ha_queues: true
+ oslo_middleware:
+ enable_proxy_headers_parsing: true
+ oslo_policy:
+ policy_file: /etc/neutron/policy.yaml
+ nova:
+ auth_type: password
+ auth_version: v3
+ endpoint_type: internal
+ designate:
+ auth_type: password
+ auth_version: v3
+ endpoint_type: internal
+ allow_reverse_dns_lookup: true
+ ironic:
+ endpoint_type: internal
+ keystone_authtoken:
+ memcache_security_strategy: ENCRYPT
+ auth_type: password
+ auth_version: v3
+ octavia:
+ request_poll_timeout: 3000
+ logging:
+ loggers:
+ keys:
+ - root
+ - neutron
+ - neutron_taas
+ handlers:
+ keys:
+ - stdout
+ - stderr
+ - "null"
+ formatters:
+ keys:
+ - context
+ - default
+ logger_root:
+ level: WARNING
+ handlers: 'null'
+ logger_neutron:
+ level: INFO
+ handlers:
+ - stdout
+ qualname: neutron
+ logger_neutron_taas:
+ level: INFO
+ handlers:
+ - stdout
+ qualname: neutron_taas
+ logger_amqp:
+ level: WARNING
+ handlers: stderr
+ qualname: amqp
+ logger_amqplib:
+ level: WARNING
+ handlers: stderr
+ qualname: amqplib
+ logger_eventletwsgi:
+ level: WARNING
+ handlers: stderr
+ qualname: eventlet.wsgi.server
+ logger_sqlalchemy:
+ level: WARNING
+ handlers: stderr
+ qualname: sqlalchemy
+ logger_boto:
+ level: WARNING
+ handlers: stderr
+ qualname: boto
+ handler_null:
+ class: logging.NullHandler
+ formatter: default
+ args: ()
+ handler_stdout:
+ class: StreamHandler
+ args: (sys.stdout,)
+ formatter: context
+ handler_stderr:
+ class: StreamHandler
+ args: (sys.stderr,)
+ formatter: context
+ formatter_context:
+ class: oslo_log.formatters.ContextFormatter
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ formatter_default:
+ format: "%(message)s"
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ plugins:
+ ml2_conf:
+ ml2:
+ extension_drivers: port_security
+ # (NOTE)portdirect: if unset this is populated dyanmicly from the value
+ # in 'network.backend' to sane defaults.
+ mechanism_drivers: null
+ type_drivers: flat,vlan,vxlan
+ tenant_network_types: vxlan
+ ml2_type_vxlan:
+ vni_ranges: 1:1000
+ vxlan_group: 239.1.1.1
+ ml2_type_flat:
+ flat_networks: "*"
+ # If you want to use the external network as a tagged provider network,
+ # a range should be specified including the intended VLAN target
+ # using ml2_type_vlan.network_vlan_ranges:
+ # ml2_type_vlan:
+ # network_vlan_ranges: "external:1100:1110"
+ agent:
+ extensions: ""
+ ml2_conf_sriov: null
+ taas:
+ taas:
+ enabled: False
+ openvswitch_agent:
+ agent:
+ tunnel_types: vxlan
+ l2_population: True
+ arp_responder: True
+ ovs:
+ bridge_mappings: "external:br-ex"
+ securitygroup:
+ firewall_driver: neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+ linuxbridge_agent:
+ linux_bridge:
+ # To define Flat and VLAN connections, in LB we can assign
+ # specific interface to the flat/vlan network name using:
+ # physical_interface_mappings: "external:eth3"
+ # Or we can set the mapping between the network and bridge:
+ bridge_mappings: "external:br-ex"
+ # The two above options are exclusive, do not use both of them at once
+ securitygroup:
+ firewall_driver: iptables
+ vxlan:
+ l2_population: True
+ arp_responder: True
+ macvtap_agent: null
+ sriov_agent:
+ securitygroup:
+ firewall_driver: neutron.agent.firewall.NoopFirewallDriver
+ sriov_nic:
+ physical_device_mappings: physnet2:enp3s0f1
+ # NOTE: do not use null here, use an empty string
+ exclude_devices: ""
+ dhcp_agent:
+ DEFAULT:
+ # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
+ # 'network.backend' to sane defaults.
+ interface_driver: null
+ dnsmasq_config_file: /etc/neutron/dnsmasq.conf
+ force_metadata: True
+ dnsmasq: |
+ #no-hosts
+ #port=5353
+ #cache-size=500
+ #no-negcache
+ #dns-forward-max=100
+ #resolve-file=
+ #strict-order
+ #bind-interface
+ #bind-dynamic
+ #domain=
+ #dhcp-range=10.10.10.10,10.10.10.100,24h
+ #dhcp-lease-max=150
+ #dhcp-host=11:22:33:44:55:66,ignore
+ #dhcp-option=3,10.10.10.1
+ #dhcp-option-force=26,1450
+
+ l3_agent:
+ DEFAULT:
+ # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
+ # 'network.backend' to sane defaults.
+ interface_driver: null
+ agent_mode: legacy
+ metering_agent: null
+ metadata_agent:
+ DEFAULT:
+ # we cannot change the proxy socket path as it is declared
+ # as a hostPath volume from agent daemonsets
+ metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
+ metadata_proxy_shared_secret: "password"
+ cache:
+ enabled: true
+ backend: dogpile.cache.memcached
+ bagpipe_bgp: {}
+
+ rabbitmq:
+ # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
+ policies:
+ - vhost: "neutron"
+ name: "ha_ttl_neutron"
+ definition:
+ # mirror messges to other nodes in rmq cluster
+ ha-mode: "all"
+ ha-sync-mode: "automatic"
+ # 70s
+ message-ttl: 70000
+ priority: 0
+ apply-to: all
+ pattern: '^(?!(amq\.|reply_)).*'
+ ## NOTE: "besteffort" is meant for dev env with mixed compute type only.
+ ## This helps prevent sriov init script from failing due to mis-matched NIC
+ ## For prod env, target NIC should match and init script should fail otherwise.
+ ## sriov_init:
+ ## - besteffort
+ sriov_init:
+ -
+ # auto_bridge_add is a table of "bridge: interface" pairs
+ # To automatically add a physical interfaces to a specific bridges,
+ # for example eth3 to bridge br-physnet1, if0 to br0 and iface_two
+ # to br1 do something like:
+ #
+ # auto_bridge_add:
+ # br-physnet1: eth3
+ # br0: if0
+ # br1: iface_two
+ # br-ex will be added by default
+ auto_bridge_add:
+ br-ex: null
+
+ # configuration of OVS DPDK bridges and NICs
+ # this is a separate section and not part of the auto_bridge_add section
+ # because additional parameters are needed
+ ovs_dpdk:
+ enabled: false
+ # setting update_dpdk_bond_config to true will have default behavior,
+ # which may cause disruptions in ovs dpdk traffic in case of neutron
+ # ovs agent restart or when dpdk nic/bond configurations are changed.
+ # Setting this to false will configure dpdk in the first run and
+ # disable nic/bond config on event of restart or config update.
+ update_dpdk_bond_config: true
+ driver: uio_pci_generic
+ # In case bonds are configured, the nics which are part of those bonds
+ # must NOT be provided here.
+ nics:
+ - name: dpdk0
+ pci_id: '0000:05:00.0'
+ # Set VF Index in case some particular VF(s) need to be
+ # used with ovs-dpdk.
+ # vf_index: 0
+ bridge: br-phy
+ migrate_ip: true
+ n_rxq: 2
+ n_txq: 2
+ pmd_rxq_affinity: "0:3,1:27"
+ ofport_request: 1
+ # optional parameters for tuning the OVS DPDK config
+ # in alignment with the available hardware resources
+ # mtu: 2000
+ # n_rxq_size: 1024
+ # n_txq_size: 1024
+ # vhost-iommu-support: true
+ bridges:
+ - name: br-phy
+ # optional parameter, in case tunnel traffic needs to be transported over a vlan underlay
+ # - tunnel_underlay_vlan: 45
+ # Optional parameter for configuring bonding in OVS-DPDK
+ # - name: br-phy-bond0
+ # bonds:
+ # - name: dpdkbond0
+ # bridge: br-phy-bond0
+ # # The IP from the first nic in nics list shall be used
+ # migrate_ip: true
+ # mtu: 2000
+ # # Please note that n_rxq is set for each NIC individually
+ # # rather than denoting the total number of rx queues for
+ # # the bond as a whole. So setting n_rxq = 2 below for ex.
+ # # would be 4 rx queues in total for the bond.
+ # # Same for n_txq
+ # n_rxq: 2
+ # n_txq: 2
+ # ofport_request: 1
+ # n_rxq_size: 1024
+ # n_txq_size: 1024
+ # vhost-iommu-support: true
+ # ovs_options: "bond_mode=active-backup"
+ # nics:
+ # - name: dpdk_b0s0
+ # pci_id: '0000:06:00.0'
+ # pmd_rxq_affinity: "0:3,1:27"
+ # # Set VF Index in case some particular VF(s) need to be
+ # # used with ovs-dpdk. In which case pci_id of PF must be
+ # # provided above.
+ # # vf_index: 0
+ # - name: dpdk_b0s1
+ # pci_id: '0000:07:00.0'
+ # pmd_rxq_affinity: "0:3,1:27"
+ # # Set VF Index in case some particular VF(s) need to be
+ # # used with ovs-dpdk. In which case pci_id of PF must be
+ # # provided above.
+ # # vf_index: 0
+ #
+ # Set the log level for each target module (default level is always dbg)
+ # Supported log levels are: off, emer, err, warn, info, dbg
+ #
+ # modules:
+ # - name: dpdk
+ # log_level: info
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: neutron-keystone-admin
+ neutron: neutron-keystone-user
+ test: neutron-keystone-test
+ oslo_db:
+ admin: neutron-db-admin
+ neutron: neutron-db-user
+ oslo_messaging:
+ admin: neutron-rabbitmq-admin
+ neutron: neutron-rabbitmq-user
+ tls:
+ compute_metadata:
+ metadata:
+ internal: metadata-tls-metadata
+ network:
+ server:
+ public: neutron-tls-public
+ internal: neutron-tls-server
+ oci_image_registry:
+ neutron: neutron-oci-image-registry
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ oci_image_registry:
+ name: oci-image-registry
+ namespace: oci-image-registry
+ auth:
+ enabled: false
+ neutron:
+ username: neutron
+ password: password
+ hosts:
+ default: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ default: null
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ secret:
+ tls:
+ internal: mariadb-tls-direct
+ neutron:
+ username: neutron
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /neutron
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ oslo_messaging:
+ auth:
+ admin:
+ username: rabbitmq
+ password: password
+ secret:
+ tls:
+ internal: rabbitmq-tls-direct
+ neutron:
+ username: neutron
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /neutron
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ http:
+ default: 15672
+ oslo_cache:
+ auth:
+ # NOTE(portdirect): this is used to define the value for keystone
+ # authtoken cache encryption key, if not set it will be populated
+ # automatically with a random value, but to take advantage of
+ # this feature all services should be set to use the same key,
+ # and memcache service.
+ memcache_secret_key: null
+ hosts:
+ default: memcached
+ host_fqdn_override:
+ default: null
+ port:
+ memcache:
+ default: 11211
+ compute:
+ name: nova
+ hosts:
+ default: nova-api
+ public: nova
+ host_fqdn_override:
+ default: null
+ path:
+ default: "/v2.1/%(tenant_id)s"
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 8774
+ public: 80
+ novncproxy:
+ default: 6080
+ compute_metadata:
+ name: nova
+ hosts:
+ default: nova-metadata
+ public: metadata
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: 'http'
+ port:
+ metadata:
+ default: 8775
+ public: 80
+ identity:
+ name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ neutron:
+ role: admin
+ region_name: RegionOne
+ username: neutron
+ password: password
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ nova:
+ region_name: RegionOne
+ project_name: service
+ username: nova
+ password: password
+ user_domain_name: service
+ project_domain_name: service
+ designate:
+ region_name: RegionOne
+ project_name: service
+ username: designate
+ password: password
+ user_domain_name: service
+ project_domain_name: service
+ ironic:
+ region_name: RegionOne
+ project_name: service
+ username: ironic
+ password: password
+ user_domain_name: service
+ project_domain_name: service
+ test:
+ role: admin
+ region_name: RegionOne
+ username: neutron-test
+ password: password
+ # NOTE: this project will be purged and reset if
+ # conf.rally_tests.force_project_purge is set to true
+ # which may be required upon test failure, but be aware that this will
+ # expunge all openstack objects, so if this is used a seperate project
+ # should be used for each helm test, and also it should be ensured
+ # that this project is not in use by other tenants
+ project_name: test
+ user_domain_name: service
+ project_domain_name: service
+ hosts:
+ default: keystone
+ internal: keystone-api
+ host_fqdn_override:
+ default: null
+ path:
+ default: /v3
+ scheme:
+ default: http
+ port:
+ api:
+ default: 80
+ internal: 5000
+ network:
+ name: neutron
+ hosts:
+ default: neutron-server
+ public: neutron
+ host_fqdn_override:
+ default: null
+ # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+ # endpoints using the following format:
+ # public:
+ # host: null
+ # tls:
+ # crt: null
+ # key: null
+ path:
+ default: null
+ scheme:
+ default: 'http'
+ service: 'http'
+ port:
+ api:
+ default: 9696
+ public: 80
+ service: 9696
+ load_balancer:
+ name: octavia
+ hosts:
+ default: octavia-api
+ public: octavia
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme:
+ default: http
+ port:
+ api:
+ default: 9876
+ public: 80
+ fluentd:
+ namespace: osh-infra
+ name: fluentd
+ hosts:
+ default: fluentd-logging
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: 'http'
+ port:
+ service:
+ default: 24224
+ metrics:
+ default: 24220
+ dns:
+ name: designate
+ hosts:
+ default: designate-api
+ public: designate
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 9001
+ public: 80
+ baremetal:
+ name: ironic
+ hosts:
+ default: ironic-api
+ public: ironic
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 6385
+ public: 80
+ # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+ # They are using to enable the Egress K8s network policy.
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns:
+ default: 53
+ protocol: UDP
+ ingress:
+ namespace: null
+ name: ingress
+ hosts:
+ default: ingress
+ port:
+ ingress:
+ default: 80
+
+network_policy:
+ neutron:
+ # TODO(lamt): Need to tighten this ingress for security.
+ ingress:
+ - {}
+ egress:
+ - {}
+
+helm3_hook: true
+
+health_probe:
+ logging:
+ level: ERROR
+
+tls:
+ identity: false
+ oslo_messaging: false
+ oslo_db: false
+
+manifests:
+ certificates: false
+ configmap_bin: true
+ configmap_etc: true
+ daemonset_dhcp_agent: true
+ daemonset_l3_agent: true
+ daemonset_lb_agent: true
+ daemonset_metadata_agent: true
+ daemonset_ovs_agent: true
+ daemonset_sriov_agent: true
+ daemonset_l2gw_agent: false
+ daemonset_bagpipe_bgp: false
+ daemonset_netns_cleanup_cron: true
+ deployment_ironic_agent: false
+ deployment_server: true
+ ingress_server: true
+ job_bootstrap: true
+ job_db_init: true
+ job_db_sync: true
+ job_db_drop: false
+ job_image_repo_sync: true
+ job_ks_endpoints: true
+ job_ks_service: true
+ job_ks_user: true
+ job_rabbit_init: true
+ pdb_server: true
+ pod_rally_test: true
+ network_policy: false
+ secret_db: true
+ secret_ingress_tls: true
+ secret_keystone: true
+ secret_rabbitmq: true
+ secret_registry: true
+ service_ingress_server: true
+ service_server: true
+...
diff --git a/charts/nova/.helmignore b/charts/nova/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/nova/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/nova/Chart.yaml b/charts/nova/Chart.yaml
new file mode 100644
index 0000000..e43c866
--- /dev/null
+++ b/charts/nova/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Nova
+home: https://docs.openstack.org/nova/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: nova
+sources:
+- https://opendev.org/openstack/nova
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.32
diff --git a/charts/nova/charts/helm-toolkit/Chart.yaml b/charts/nova/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..751c291
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.38
diff --git a/charts/nova/charts/helm-toolkit/requirements.yaml b/charts/nova/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/nova/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..c1693aa
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/nova/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..db12915
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,540 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+local A_FILE="$1"
+local A_DATE=""
+if [[ -z ${BACK_UP_MODE} ]]; then
+ A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 4 | tr -d "Z")
+else
+ A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 5 | tr -d "Z")
+fi
+echo ${A_DATE}
+}
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ SECONDS_TO_KEEP=$((${LOCAL_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+ ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+ if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -rf $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
+ ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f fd ]]; then
+ rm -f fd
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ create_hash_table $(cat $DB_BACKUP_FILES)
+ remove_old_remote_archives
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f8-
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..aa656c1
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Chart.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..c5e07ee
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Chart.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..b8493b3
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Chart.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..f1ad580
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Chart.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..c2576d5
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Chart.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..4cc898d
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/nova/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..7fa180a
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Chart.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/nova/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_template.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..d66663f
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Chart.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/nova/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/charts/helm-toolkit/values.yaml b/charts/nova/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/nova/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/nova/requirements.lock b/charts/nova/requirements.lock
new file mode 100644
index 0000000..159c53a
--- /dev/null
+++ b/charts/nova/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: 0.2.38
+digest: sha256:5e8c9ccd0834d092abdcf29f1a6d79c906d4aa9f61c375d617f69a342c40747f
+generated: "2022-03-25T19:12:55.919908558Z"
diff --git a/charts/nova/requirements.yaml b/charts/nova/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/nova/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: ">= 0.1.0"
diff --git a/charts/nova/templates/bin/_bootstrap.sh.tpl b/charts/nova/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..9cb48b1
--- /dev/null
+++ b/charts/nova/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+{{ if .Values.bootstrap.structured.flavors.enabled }}
+{{ range .Values.bootstrap.structured.flavors.options }}
+# NOTE(aostapenko) Since Wallaby with switch of osc to sdk '--id auto' is no
+# longer treated specially. Though the same behavior can be achieved w/o specifying
+#--id flag.
+# https://review.opendev.org/c/openstack/python-openstackclient/+/750151
+{
+ openstack flavor show {{ .name }} || \
+ openstack flavor create {{ .name }} \
+{{ if .id }} \
+ --id {{ .id }} \
+{{ end }} \
+ --ram {{ .ram }} \
+ --disk {{ .disk }} \
+ --vcpus {{ .vcpus }}
+} &
+{{ end }}
+wait
+{{ end }}
+
+{{ if .Values.bootstrap.wait_for_computes.enabled }}
+{{ .Values.bootstrap.wait_for_computes.scripts.wait_script }}
+{{ else }}
+echo 'Wait for Computes script not enabled'
+{{ end }}
+
+{{ .Values.bootstrap.script | default "echo 'No other bootstrap customizations found.'" }}
diff --git a/charts/nova/templates/bin/_cell-setup-init.sh.tpl b/charts/nova/templates/bin/_cell-setup-init.sh.tpl
new file mode 100644
index 0000000..9535085
--- /dev/null
+++ b/charts/nova/templates/bin/_cell-setup-init.sh.tpl
@@ -0,0 +1,71 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+{{- if .Values.jobs.cell_setup.extended_wait.enabled }}
+iteration={{ .Values.jobs.cell_setup.extended_wait.iteration }}
+duration={{ .Values.jobs.cell_setup.extended_wait.duration }}
+extra_wait=true
+# Init for case wait_for_computes is not enabled. It'll have
+# the same effect as the original code that checks for at
+# least one compute is registered
+expected_computes=1
+
+if [[ -f /tmp/compute_nodes.txt ]]
+then
+ expected_computes=$(cat /tmp/compute_nodes.txt | wc -w)
+fi
+
+while [[ "$extra_wait" == true ]]
+do
+ nova_computes=$(openstack compute service list --service nova-compute -f value -c State)
+
+ if [[ -z "$(echo $nova_computes | grep down)" ]]
+ then
+ # No more down. Although all present computes are up,
+ # the number of present computes may not be the total
+ # expected number of computes as some of the remaining
+ # computes may take a bit longer to register/join.
+ actual_computes=$(echo $nova_computes | wc -w)
+ if [[ "$actual_computes" -ge "$expected_computes" ]]
+ then
+ # All expected nodes are up
+ extra_wait=false
+ fi
+ fi
+
+ if [[ "$extra_wait" == true ]]
+ then
+ sleep "$duration"
+
+ if [[ "$iteration" -gt 1 ]]
+ then
+ ((iteration=iteration-1))
+ else
+ extra_wait=false
+
+ # List out the info to see whether any nodes is still down
+ openstack compute service list --service nova-compute
+ fi
+ fi
+done
+{{- end }}
+
+until openstack compute service list --service nova-compute -f value -c State | grep -q "^up$" ;do
+ echo "Waiting for Nova Compute processes to register"
+ sleep 10
+done
diff --git a/charts/nova/templates/bin/_cell-setup.sh.tpl b/charts/nova/templates/bin/_cell-setup.sh.tpl
new file mode 100644
index 0000000..45c9771
--- /dev/null
+++ b/charts/nova/templates/bin/_cell-setup.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+NOVA_VERSION=$(nova-manage --version 2>&1 | grep -Eo '[0-9]+[.][0-9]+[.][0-9]+')
+
+# NOTE(portdirect): check if nova fully supports cells v2, and manage
+# accordingly. Support was complete in ocata (V14.x.x).
+
+if [ "${NOVA_VERSION%%.*}" -gt "14" ]; then
+ nova-manage cell_v2 discover_hosts --verbose
+fi
diff --git a/charts/nova/templates/bin/_ceph-admin-keyring.sh.tpl b/charts/nova/templates/bin/_ceph-admin-keyring.sh.tpl
new file mode 100644
index 0000000..8c36d4b
--- /dev/null
+++ b/charts/nova/templates/bin/_ceph-admin-keyring.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cat > /etc/ceph/ceph.client.admin.keyring << EOF
+[client.admin]
+{{- if .Values.conf.ceph.admin_keyring }}
+ key = {{ .Values.conf.ceph.admin_keyring }}
+{{- else }}
+ key = $(cat /tmp/client-keyring)
+{{- end }}
+EOF
+
+exit 0
diff --git a/charts/nova/templates/bin/_ceph-keyring.sh.tpl b/charts/nova/templates/bin/_ceph-keyring.sh.tpl
new file mode 100644
index 0000000..b9237e8
--- /dev/null
+++ b/charts/nova/templates/bin/_ceph-keyring.sh.tpl
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+export HOME=/tmp
+
+cp -vf /etc/ceph/ceph.conf.template /etc/ceph/ceph.conf
+
+KEYRING=/etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring
+{{- if .Values.conf.ceph.cinder.keyring }}
+cat > ${KEYRING} <<EOF
+[client.{{ .Values.conf.ceph.cinder.user }}]
+ key = {{ .Values.conf.ceph.cinder.keyring }}
+EOF
+{{- else }}
+if ! [ "x${CEPH_CINDER_USER}" == "xadmin" ]; then
+ #
+ # If user is not client.admin, check if it already exists. If not create
+ # the user. If the cephx user does not exist make sure the caps are set
+ # according to best practices
+ #
+ if USERINFO=$(ceph auth get client.${CEPH_CINDER_USER}); then
+ echo "Cephx user client.${CEPH_CINDER_USER} already exist"
+ echo "Update user client.${CEPH_CINDER_USER} caps"
+ ceph auth caps client.${CEPH_CINDER_USER} \
+ mon "profile rbd" \
+ osd "profile rbd"
+ ceph auth get client.${CEPH_CINDER_USER} -o ${KEYRING}
+ else
+ echo "Creating Cephx user client.${CEPH_CINDER_USER}"
+ ceph auth get-or-create client.${CEPH_CINDER_USER} \
+ mon "profile rbd" \
+ osd "profile rbd" \
+ -o ${KEYRING}
+ fi
+ rm -f /etc/ceph/ceph.client.admin.keyring
+fi
+{{- end }}
diff --git a/charts/nova/templates/bin/_db-archive-deleted-row.sh.tpl b/charts/nova/templates/bin/_db-archive-deleted-row.sh.tpl
new file mode 100644
index 0000000..a4b986b
--- /dev/null
+++ b/charts/nova/templates/bin/_db-archive-deleted-row.sh.tpl
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec nova-manage db archive_deleted_rows \
+{{- if .Values.conf.archive_deleted_rows.until_completion }}
+ --until-complete \
+{{- end}}
+{{- if .Values.conf.archive_deleted_rows.purge_delete_rows }}
+ --purge \
+{{- end }}
+{{- if .Values.conf.archive_deleted_rows.all_cells }}
+ --all-cells \
+{{- end}}
+{{- if .Values.conf.archive_deleted_rows.max_rows.enabled }}
+ --max_rows {{ .Values.conf.archive_deleted_rows.max_rows.rows }} \
+{{- end }}
+{{- if .Values.conf.archive_deleted_rows.before.enabled }}
+ --before "{{ .Values.conf.archive_deleted_rows.before.date }}" \
+{{- end }}
+ --verbose
diff --git a/charts/nova/templates/bin/_db-sync.sh.tpl b/charts/nova/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..e688238
--- /dev/null
+++ b/charts/nova/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+NOVA_VERSION=$(nova-manage --version 2>&1 | grep -Eo '[0-9]+[.][0-9]+[.][0-9]+')
+
+function manage_cells () {
+ # NOTE(portdirect): check if nova fully supports cells v2, and manage
+ # accordingly. Support was complete in ocata (V14.x.x).
+ if [ "${NOVA_VERSION%%.*}" -gt "14" ]; then
+ nova-manage cell_v2 map_cell0
+ nova-manage cell_v2 list_cells | grep -q " cell1 " || \
+ nova-manage cell_v2 create_cell --name=cell1 --verbose
+
+ CELL0_ID=$(nova-manage cell_v2 list_cells | awk -F '|' '/ cell0 / { print $3 }' | tr -d ' ')
+ CELL1_ID=$(nova-manage cell_v2 list_cells | awk -F '|' '/ cell1 / { print $3 }' | tr -d ' ')
+ set +x
+
+ CELL0_TRANSPORT=$(nova-manage cell_v2 list_cells | awk -F '|' '/ cell0 / { print $4 }' | tr -d ' ')
+ if [ -z "${DB_CONNECTION_CELL0}" ]; then
+ echo "ERROR: missing DB_CONNECTION_CELL0"
+ exit 1
+ fi
+ nova-manage cell_v2 update_cell \
+ --cell_uuid="${CELL0_ID}" \
+ --name="cell0" \
+ --transport-url="${CELL0_TRANSPORT}" \
+ --database_connection="${DB_CONNECTION_CELL0}"
+
+ for VAR in TRANSPORT_URL DB_CONNECTION; do
+ if [ -z "${!VAR}" ]; then
+ echo "ERROR: missing $VAR variable"
+ exit 1
+ fi
+ done
+ nova-manage cell_v2 update_cell \
+ --cell_uuid="${CELL1_ID}" \
+ --name="cell1" \
+ --transport-url="${TRANSPORT_URL}" \
+ --database_connection="${DB_CONNECTION}"
+ set -x
+ fi
+}
+
+# NOTE(aostapenko) Starting Wallaby nova-manage api_db version returns init version for empty database
+# greater than 0 # https://opendev.org/openstack/nova/src/branch/stable/wallaby/nova/db/sqlalchemy/migration.py#L32
+# thus logic prior to this commit does not work. We need to either remove or justify and alter previous logic.
+nova-manage api_db sync
+manage_cells
+
+nova-manage db sync
+
+nova-manage db online_data_migrations
+
+echo 'Finished DB migrations'
diff --git a/charts/nova/templates/bin/_fake-iptables.sh.tpl b/charts/nova/templates/bin/_fake-iptables.sh.tpl
new file mode 100644
index 0000000..78cbd46
--- /dev/null
+++ b/charts/nova/templates/bin/_fake-iptables.sh.tpl
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+exit 0
diff --git a/charts/nova/templates/bin/_health-probe.py.tpl b/charts/nova/templates/bin/_health-probe.py.tpl
new file mode 100644
index 0000000..0185319
--- /dev/null
+++ b/charts/nova/templates/bin/_health-probe.py.tpl
@@ -0,0 +1,259 @@
+#!/usr/bin/env python
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""
+Health probe script for OpenStack service that uses RPC/unix domain socket for
+communication. Check's the RPC tcp socket status on the process and send
+message to service through rpc call method and expects a reply.
+Use nova's ping method that is designed just for such simple purpose.
+
+Script returns failure to Kubernetes only when
+ a. TCP socket for the RPC communication are not established.
+ b. service is not reachable or
+ c. service times out sending a reply.
+
+sys.stderr.write() writes to pod's events on failures.
+
+Usage example for Nova Compute:
+# python health-probe.py --config-file /etc/nova/nova.conf \
+# --service-queue-name compute
+
+"""
+
+import json
+import os
+import psutil
+import signal
+import socket
+import sys
+
+from oslo_config import cfg
+from oslo_context import context
+from oslo_log import log
+import oslo_messaging
+
+rpc_timeout = int(os.getenv('RPC_PROBE_TIMEOUT', '60'))
+rpc_retries = int(os.getenv('RPC_PROBE_RETRIES', '2'))
+
+tcp_established = "ESTABLISHED"
+
+
+def _get_hostname(topic, use_fqdn):
+ if use_fqdn and topic == "compute":
+ return socket.getfqdn()
+ return socket.gethostname()
+
+
+def check_service_status(transport):
+ """Verify service status. Return success if service consumes message"""
+ try:
+ service_queue_name = cfg.CONF.service_queue_name
+ use_fqdn = cfg.CONF.use_fqdn
+ target = oslo_messaging.Target(
+ topic=service_queue_name,
+ server=_get_hostname(service_queue_name, use_fqdn),
+ namespace='baseapi',
+ version="1.1")
+ client = oslo_messaging.RPCClient(transport, target,
+ timeout=rpc_timeout,
+ retry=rpc_retries)
+ client.call(context.RequestContext(),
+ 'ping',
+ arg=None)
+ except oslo_messaging.exceptions.MessageDeliveryFailure:
+ # Log to pod events
+ sys.stderr.write("Health probe unable to reach message bus")
+ sys.exit(0) # return success
+ except oslo_messaging.rpc.client.RemoteError as re:
+ message = getattr(re, "message", str(re))
+ if ("Endpoint does not support RPC method" in message) or \
+ ("Endpoint does not support RPC version" in message):
+ sys.exit(0) # Call reached the service
+ else:
+ sys.stderr.write("Health probe unable to reach service")
+ sys.exit(1) # return failure
+ except oslo_messaging.exceptions.MessagingTimeout:
+ sys.stderr.write("Health probe timed out. Agent is down or response "
+ "timed out")
+ sys.exit(1) # return failure
+ except Exception as ex:
+ message = getattr(ex, "message", str(ex))
+ sys.stderr.write("Health probe caught exception sending message to "
+ "service: %s" % message)
+ sys.exit(0)
+ except:
+ sys.stderr.write("Health probe caught exception sending message to"
+ " service")
+ sys.exit(0)
+
+
+def tcp_socket_status(process, ports):
+ """Check the tcp socket status on a process"""
+ for p in psutil.process_iter():
+ try:
+ with p.oneshot():
+ if process in " ".join(p.cmdline()):
+ pcon = p.connections()
+ for con in pcon:
+ try:
+ rport = con.raddr[1]
+ status = con.status
+ except IndexError:
+ continue
+ if rport in ports and status == tcp_established:
+ return 1
+ except psutil.Error:
+ continue
+ return 0
+
+
+def configured_port_in_conf():
+ """Get the rabbitmq/Database port configured in config file"""
+
+ rabbit_ports = set()
+ database_ports = set()
+
+ try:
+ transport_url = oslo_messaging.TransportURL.parse(cfg.CONF)
+ for host in transport_url.hosts:
+ rabbit_ports.add(host.port)
+ except Exception as ex:
+ message = getattr(ex, "message", str(ex))
+ sys.stderr.write("Health probe caught exception reading "
+ "RabbitMQ ports: %s" % message)
+ sys.exit(0) # return success
+
+ try:
+ with open(sys.argv[2]) as conf_file:
+ for line in conf_file:
+ if "connection =" in line:
+ service = line.split(':', 3)[3].split('/')[1].rstrip('\n')
+ if service == "nova":
+ database_ports.add(
+ int(line.split(':', 3)[3].split('/')[0]))
+ except IOError:
+ sys.stderr.write("Nova Config file not present")
+ sys.exit(1)
+
+ return rabbit_ports, database_ports
+
+
+def test_tcp_socket(service):
+ """Check tcp socket to rabbitmq/db is in Established state"""
+ dict_services = {
+ "compute": "nova-compute",
+ "conductor": "nova-conductor",
+ "consoleauth": "nova-consoleaut",
+ "scheduler": "nova-scheduler"
+ }
+ r_ports, d_ports = configured_port_in_conf()
+
+ if service in dict_services:
+ proc = dict_services[service]
+ transport = oslo_messaging.TransportURL.parse(cfg.CONF)
+ if r_ports and tcp_socket_status(proc, r_ports) == 0:
+ sys.stderr.write("RabbitMQ socket not established for service "
+ "%s with transport %s" % (proc, transport))
+ # Do not kill the pod if RabbitMQ is not reachable/down
+ if not cfg.CONF.liveness_probe:
+ sys.exit(1)
+
+ # let's do the db check
+ if service != "compute":
+ if d_ports and tcp_socket_status(proc, d_ports) == 0:
+ sys.stderr.write("Database socket not established for service "
+ "%s with transport %s" % (proc, transport))
+ # Do not kill the pod if database is not reachable/down
+ # there could be no socket as well as typically connections
+ # get closed after an idle timeout
+ # Just log it to pod events
+ if not cfg.CONF.liveness_probe:
+ sys.exit(1)
+
+
+def test_rpc_liveness():
+ """Test if service can consume message from queue"""
+ oslo_messaging.set_transport_defaults(control_exchange='nova')
+
+ rabbit_group = cfg.OptGroup(name='oslo_messaging_rabbit',
+ title='RabbitMQ options')
+ cfg.CONF.register_group(rabbit_group)
+ cfg.CONF.register_cli_opt(cfg.StrOpt('service-queue-name'))
+ cfg.CONF.register_cli_opt(cfg.BoolOpt('liveness-probe', default=False,
+ required=False))
+ cfg.CONF.register_cli_opt(cfg.BoolOpt('use-fqdn', default=False,
+ required=False))
+
+ cfg.CONF(sys.argv[1:])
+
+ log.logging.basicConfig(level=log.{{ .Values.health_probe.logging.level }})
+
+ try:
+ transport = oslo_messaging.get_notification_transport(cfg.CONF)
+ except Exception as ex:
+ message = getattr(ex, "message", str(ex))
+ sys.stderr.write("Message bus driver load error: %s" % message)
+ sys.exit(0) # return success
+
+ if not cfg.CONF.transport_url or \
+ not cfg.CONF.service_queue_name:
+ sys.stderr.write("Both message bus URL and service's queue name are "
+ "required for health probe to work")
+ sys.exit(0) # return success
+
+ try:
+ cfg.CONF.set_override('rabbit_max_retries', 2,
+ group=rabbit_group) # 3 attempts
+ except cfg.NoSuchOptError as ex:
+ cfg.CONF.register_opt(cfg.IntOpt('rabbit_max_retries', default=2),
+ group=rabbit_group)
+
+ service = cfg.CONF.service_queue_name
+ test_tcp_socket(service)
+
+ check_service_status(transport)
+
+def check_pid_running(pid):
+ if psutil.pid_exists(int(pid)):
+ return True
+ else:
+ return False
+
+if __name__ == "__main__":
+
+ if "liveness-probe" in ','.join(sys.argv):
+ pidfile = "/tmp/liveness.pid" #nosec
+ else:
+ pidfile = "/tmp/readiness.pid" #nosec
+ data = {}
+ if os.path.isfile(pidfile):
+ with open(pidfile,'r') as f:
+ data = json.load(f)
+ if check_pid_running(data['pid']):
+ if data['exit_count'] > 1:
+ # Third time in, kill the previous process
+ os.kill(int(data['pid']), signal.SIGTERM)
+ else:
+ data['exit_count'] = data['exit_count'] + 1
+ with open(pidfile, 'w') as f:
+ json.dump(data, f)
+ sys.exit(0)
+ data['pid'] = os.getpid()
+ data['exit_count'] = 0
+ with open(pidfile, 'w') as f:
+ json.dump(data, f)
+
+ test_rpc_liveness()
+
+ sys.exit(0) # return success
diff --git a/charts/nova/templates/bin/_iscsiadm.tpl b/charts/nova/templates/bin/_iscsiadm.tpl
new file mode 100644
index 0000000..edb5017
--- /dev/null
+++ b/charts/nova/templates/bin/_iscsiadm.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Copyright 2020 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+ iscsiadm "${@:1}"
diff --git a/charts/nova/templates/bin/_multipath.tpl b/charts/nova/templates/bin/_multipath.tpl
new file mode 100644
index 0000000..7f84c9c
--- /dev/null
+++ b/charts/nova/templates/bin/_multipath.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+ multipath "${@:1}"
diff --git a/charts/nova/templates/bin/_multipathd.tpl b/charts/nova/templates/bin/_multipathd.tpl
new file mode 100644
index 0000000..a9ff34a
--- /dev/null
+++ b/charts/nova/templates/bin/_multipathd.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
+ multipathd "${@:1}"
diff --git a/charts/nova/templates/bin/_nova-api-metadata-init.sh.tpl b/charts/nova/templates/bin/_nova-api-metadata-init.sh.tpl
new file mode 100644
index 0000000..84f1c80
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-api-metadata-init.sh.tpl
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+metadata_ip="{{- .Values.endpoints.compute_metadata.ip.ingress -}}"
+if [ -z "${metadata_ip}" ] ; then
+ metadata_ip=$(getent hosts metadata | awk '{print $1}')
+fi
+
+cat <<EOF>/tmp/pod-shared/nova-api-metadata.ini
+[DEFAULT]
+metadata_host=$metadata_ip
+EOF
diff --git a/charts/nova/templates/bin/_nova-api-metadata.sh.tpl b/charts/nova/templates/bin/_nova-api-metadata.sh.tpl
new file mode 100644
index 0000000..18195f2
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-api-metadata.sh.tpl
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+{{- if .Values.manifests.certificates }}
+ for WSGI_SCRIPT in nova-metadata-wsgi; do
+ cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
+ done
+
+ if [ -f /etc/apache2/envvars ]; then
+ # Loading Apache2 ENV variables
+ source /etc/apache2/envvars
+ mkdir -p ${APACHE_RUN_DIR}
+ fi
+
+{{- if .Values.conf.software.apache2.a2enmod }}
+ {{- range .Values.conf.software.apache2.a2enmod }}
+ a2enmod {{ . }}
+ {{- end }}
+{{- end }}
+
+{{- if .Values.conf.software.apache2.a2dismod }}
+ {{- range .Values.conf.software.apache2.a2dismod }}
+ a2dismod {{ . }}
+ {{- end }}
+{{- end }}
+
+ if [ -f /var/run/apache2/apache2.pid ]; then
+ # Remove the stale pid for debian/ubuntu images
+ rm -f /var/run/apache2/apache2.pid
+ fi
+ # Starts Apache2
+ exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+{{- else }}
+ exec nova-api-metadata \
+ --config-file /etc/nova/nova.conf \
+ --config-file /tmp/pod-shared/nova-api-metadata.ini
+{{- end }}
+}
+
+function stop () {
+{{- if .Values.manifests.certificates }}
+ if [ -f /etc/apache2/envvars ]; then
+ source /etc/apache2/envvars
+ fi
+ {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+{{- else }}
+ kill -TERM 1
+{{- end }}
+}
+
+$COMMAND
diff --git a/charts/nova/templates/bin/_nova-api.sh.tpl b/charts/nova/templates/bin/_nova-api.sh.tpl
new file mode 100644
index 0000000..c62de9a
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-api.sh.tpl
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+{{- if .Values.manifests.certificates }}
+ for WSGI_SCRIPT in nova-api-wsgi; do
+ cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
+ done
+
+ if [ -f /etc/apache2/envvars ]; then
+ # Loading Apache2 ENV variables
+ source /etc/apache2/envvars
+ mkdir -p ${APACHE_RUN_DIR}
+ fi
+
+{{- if .Values.conf.software.apache2.a2enmod }}
+ {{- range .Values.conf.software.apache2.a2enmod }}
+ a2enmod {{ . }}
+ {{- end }}
+{{- end }}
+
+{{- if .Values.conf.software.apache2.a2dismod }}
+ {{- range .Values.conf.software.apache2.a2dismod }}
+ a2dismod {{ . }}
+ {{- end }}
+{{- end }}
+
+
+ if [ -f /var/run/apache2/apache2.pid ]; then
+ # Remove the stale pid for debian/ubuntu images
+ rm -f /var/run/apache2/apache2.pid
+ fi
+ # Starts Apache2
+ exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+{{- else }}
+ exec nova-api-os-compute \
+ --config-file /etc/nova/nova.conf
+{{- end }}
+}
+
+function stop () {
+{{- if .Values.manifests.certificates }}
+ if [ -f /etc/apache2/envvars ]; then
+ source /etc/apache2/envvars
+ fi
+ {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+{{- else }}
+ kill -TERM 1
+{{- end }}
+}
+
+$COMMAND
diff --git a/charts/nova/templates/bin/_nova-compute-init.sh.tpl b/charts/nova/templates/bin/_nova-compute-init.sh.tpl
new file mode 100644
index 0000000..0636b69
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-compute-init.sh.tpl
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+# Make the Nova Instances Dir as this is not autocreated.
+mkdir -p /var/lib/nova/instances
+
+# Set Ownership of nova dirs to the nova user
+chown ${NOVA_USER_UID} /var/lib/nova /var/lib/nova/instances
+
+migration_interface="{{- .Values.conf.libvirt.live_migration_interface -}}"
+if [[ -n $migration_interface ]]; then
+ # determine ip dynamically based on interface provided
+ migration_address=$(ip a s $migration_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -1)
+fi
+
+touch /tmp/pod-shared/nova-libvirt.conf
+if [[ -n $migration_address ]]; then
+cat <<EOF>/tmp/pod-shared/nova-libvirt.conf
+[libvirt]
+live_migration_inbound_addr = $migration_address
+EOF
+fi
+
+hypervisor_interface="{{- .Values.conf.hypervisor.host_interface -}}"
+if [[ -z $hypervisor_interface ]]; then
+ # search for interface with default routing
+ # If there is not default gateway, exit
+ hypervisor_interface=$(ip -4 route list 0/0 | awk -F 'dev' '{ print $2; exit }' | awk '{ print $1 }') || exit 1
+fi
+
+hypervisor_address=$(ip a s $hypervisor_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -1)
+
+if [ -z "${hypervisor_address}" ] ; then
+ echo "Var my_ip is empty"
+ exit 1
+fi
+
+tee > /tmp/pod-shared/nova-hypervisor.conf << EOF
+[DEFAULT]
+my_ip = $hypervisor_address
+EOF
+
+{{- if and ( empty .Values.conf.nova.DEFAULT.host ) ( .Values.pod.use_fqdn.compute ) }}
+tee > /tmp/pod-shared/nova-compute-fqdn.conf << EOF
+[DEFAULT]
+host = $(hostname --fqdn)
+EOF
+{{- end }}
diff --git a/charts/nova/templates/bin/_nova-compute-ironic.sh.tpl b/charts/nova/templates/bin/_nova-compute-ironic.sh.tpl
new file mode 100644
index 0000000..a22cbcf
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-compute-ironic.sh.tpl
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec nova-compute \
+ --config-file /etc/nova/nova.conf \
+ --config-file /etc/nova/nova-ironic.conf
diff --git a/charts/nova/templates/bin/_nova-compute.sh.tpl b/charts/nova/templates/bin/_nova-compute.sh.tpl
new file mode 100644
index 0000000..23ce347
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-compute.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+exec nova-compute \
+ --config-file /etc/nova/nova.conf \
+ --config-file /tmp/pod-shared/nova-console.conf \
+ --config-file /tmp/pod-shared/nova-libvirt.conf \
+{{- if and ( empty .Values.conf.nova.DEFAULT.host ) ( .Values.pod.use_fqdn.compute ) }}
+ --config-file /tmp/pod-shared/nova-compute-fqdn.conf \
+{{- end }}
+ --config-file /tmp/pod-shared/nova-hypervisor.conf
diff --git a/charts/nova/templates/bin/_nova-conductor.sh.tpl b/charts/nova/templates/bin/_nova-conductor.sh.tpl
new file mode 100644
index 0000000..0f7d5b1
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-conductor.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+exec nova-conductor \
+ --config-file /etc/nova/nova.conf
diff --git a/charts/nova/templates/bin/_nova-console-compute-init.sh.tpl b/charts/nova/templates/bin/_nova-console-compute-init.sh.tpl
new file mode 100644
index 0000000..6718fab
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-console-compute-init.sh.tpl
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+console_kind="{{- .Values.console.console_kind -}}"
+
+if [ "${console_kind}" == "novnc" ] ; then
+ client_address="{{- .Values.conf.nova.vnc.server_proxyclient_address -}}"
+ client_interface="{{- .Values.console.novnc.compute.vncserver_proxyclient_interface -}}"
+ listen_ip="{{- .Values.conf.nova.vnc.server_listen -}}"
+elif [ "${console_kind}" == "spice" ] ; then
+ client_address="{{- .Values.conf.nova.spice.server_proxyclient_address -}}"
+ client_interface="{{- .Values.console.spice.compute.server_proxyclient_interface -}}"
+ listen_ip="{{- .Values.conf.nova.spice.server_listen -}}"
+fi
+
+if [ -z "${client_address}" ] ; then
+ if [ -z "${client_interface}" ] ; then
+ if [ -x "$(command -v route)" ] ; then
+ # search for interface with default routing, if multiple default routes exist then select the one with the lowest metric.
+ client_interface=$(route -n | awk '/^0.0.0.0/ { print $5 " " $NF }' | sort | awk '{ print $NF; exit }')
+ else
+ client_interface=$(ip r | grep default | awk '{print $5}')
+ fi
+ fi
+
+ # determine client ip dynamically based on interface provided
+ client_address=$(ip a s $client_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -n 1)
+fi
+
+if [ -z "${listen_ip}" ] ; then
+ # The server component listens on all IP addresses and the proxy component
+ # only listens on the management interface IP address of the compute node.
+ listen_ip=0.0.0.0
+fi
+
+touch /tmp/pod-shared/nova-console.conf
+if [ "${console_kind}" == "novnc" ] ; then
+ cat > /tmp/pod-shared/nova-console.conf <<EOF
+[vnc]
+server_proxyclient_address = $client_address
+vncserver_listen = $listen_ip
+EOF
+elif [ "${console_kind}" == "spice" ] ; then
+ cat > /tmp/pod-shared/nova-console.conf <<EOF
+[spice]
+server_proxyclient_address = $client_address
+server_listen = $listen_ip
+EOF
+fi
diff --git a/charts/nova/templates/bin/_nova-console-proxy-init-assets.sh.tpl b/charts/nova/templates/bin/_nova-console-proxy-init-assets.sh.tpl
new file mode 100644
index 0000000..84652eb
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-console-proxy-init-assets.sh.tpl
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+console_kind="{{- .Values.console.console_kind -}}"
+if [ "${console_kind}" == "novnc" ] ; then
+ cp -vaRf /usr/share/novnc/* /tmp/usr/share/novnc/
+elif [ "${console_kind}" == "spice" ] ; then
+ cp -vaRf /usr/share/spice-html5/* /tmp/usr/share/spice-html5/
+fi
diff --git a/charts/nova/templates/bin/_nova-console-proxy-init.sh.tpl b/charts/nova/templates/bin/_nova-console-proxy-init.sh.tpl
new file mode 100644
index 0000000..6218d29
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-console-proxy-init.sh.tpl
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+console_kind="{{- .Values.console.console_kind -}}"
+
+if [ "${console_kind}" == "novnc" ] ; then
+ client_address="{{- .Values.conf.nova.vnc.vncserver_proxyclient_address -}}"
+ client_interface="{{- .Values.console.novnc.vncproxy.vncserver_proxyclient_interface -}}"
+ listen_ip="{{- .Values.conf.nova.vnc.vncserver_listen -}}"
+elif [ "${console_kind}" == "spice" ] ; then
+ client_address="{{- .Values.conf.nova.spice.server_proxyclient_address -}}"
+ client_interface="{{- .Values.console.spice.proxy.server_proxyclient_interface -}}"
+ listen_ip="{{- .Values.conf.nova.spice.server_listen -}}"
+fi
+
+if [ -z "${client_address}" ] ; then
+ if [ -z "${client_interface}" ] ; then
+ if [ -x "$(command -v route)" ] ; then
+ # search for interface with default routing, if multiple default routes exist then select the one with the lowest metric.
+ client_interface=$(route -n | awk '/^0.0.0.0/ { print $5 " " $NF }' | sort | awk '{ print $NF; exit }')
+ else
+ client_interface=$(ip r | grep default | awk '{print $5}')
+ fi
+ fi
+
+ # determine client ip dynamically based on interface provided
+ client_address=$(ip a s $client_interface | grep 'inet ' | awk '{print $2}' | awk -F "/" '{print $1}' | head -n 1)
+fi
+
+if [ -z "${listen_ip}" ] ; then
+ listen_ip=$client_address
+fi
+
+if [ "${console_kind}" == "novnc" ] ; then
+cat <<EOF>/tmp/pod-shared/nova-vnc.ini
+[vnc]
+vncserver_proxyclient_address = $client_address
+vncserver_listen = $listen_ip
+EOF
+elif [ "${console_kind}" == "spice" ] ; then
+cat <<EOF>/tmp/pod-shared/nova-spice.ini
+[spice]
+server_proxyclient_address = $client_address
+server_listen = $listen_ip
+EOF
+fi
diff --git a/charts/nova/templates/bin/_nova-console-proxy.sh.tpl b/charts/nova/templates/bin/_nova-console-proxy.sh.tpl
new file mode 100644
index 0000000..253a053
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-console-proxy.sh.tpl
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+
+console_kind="{{- .Values.console.console_kind -}}"
+if [ "${console_kind}" == "novnc" ] ; then
+ exec nova-novncproxy \
+ --config-file /etc/nova/nova.conf \
+ --config-file /tmp/pod-shared/nova-vnc.ini
+elif [ "${console_kind}" == "spice" ] ; then
+ exec nova-spicehtml5proxy\
+ --config-file /etc/nova/nova.conf \
+ --config-file /tmp/pod-shared/nova-spice.ini
+fi
\ No newline at end of file
diff --git a/charts/nova/templates/bin/_nova-consoleauth.sh.tpl b/charts/nova/templates/bin/_nova-consoleauth.sh.tpl
new file mode 100644
index 0000000..97c4195
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-consoleauth.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -x
+exec nova-consoleauth \
+ --config-file /etc/nova/nova.conf
diff --git a/charts/nova/templates/bin/_nova-placement-api.sh.tpl b/charts/nova/templates/bin/_nova-placement-api.sh.tpl
new file mode 100644
index 0000000..762af44
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-placement-api.sh.tpl
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+
+ cp -a $(type -p nova-placement-api) /var/www/cgi-bin/nova/
+
+ if [ -f /etc/apache2/envvars ]; then
+ # Loading Apache2 ENV variables
+ source /etc/apache2/envvars
+ # The directory below has to be created due to the fact that
+ # libapache2-mod-wsgi-py3 doesn't create it in contrary by libapache2-mod-wsgi
+ if [ ! -d ${APACHE_RUN_DIR} ]; then
+ mkdir -p ${APACHE_RUN_DIR}
+ fi
+ fi
+
+ # Start Apache2
+ {{- if .Values.conf.software.apache2.a2enmod }}
+ {{- range .Values.conf.software.apache2.a2enmod }}
+ a2enmod {{ . }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.conf.software.apache2.a2dismod }}
+ {{- range .Values.conf.software.apache2.a2dismod }}
+ a2dismod {{ . }}
+ {{- end }}
+ {{- end }}
+ exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+}
+
+function stop () {
+ if [ -f /etc/apache2/envvars ]; then
+ source /etc/apache2/envvars
+ fi
+ {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+}
+
+$COMMAND
diff --git a/charts/nova/templates/bin/_nova-scheduler.sh.tpl b/charts/nova/templates/bin/_nova-scheduler.sh.tpl
new file mode 100644
index 0000000..dc00037
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-scheduler.sh.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -xe
+
+exec nova-scheduler \
+ --config-file /etc/nova/nova.conf
diff --git a/charts/nova/templates/bin/_nova-service-cleaner.sh.tpl b/charts/nova/templates/bin/_nova-service-cleaner.sh.tpl
new file mode 100644
index 0000000..2242757
--- /dev/null
+++ b/charts/nova/templates/bin/_nova-service-cleaner.sh.tpl
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -xe
+
+# If any non-compute service is down, then sleep for 2 times the report_interval
+# to confirm service is still down.
+DISABLED_SVC="$(openstack compute service list -f value | grep -v 'nova-compute' | grep 'down' || true)"
+if [ ! -z "${DISABLED_SVC}" ]; then
+ sleep {{ .Values.jobs.service_cleaner.sleep_time }}
+fi
+
+NOVA_SERVICES_TO_CLEAN="$(openstack compute service list -f value -c Binary | sort | uniq | grep -v '^nova-compute$')"
+for NOVA_SERVICE in ${NOVA_SERVICES_TO_CLEAN}; do
+ DEAD_SERVICE_IDS=$(openstack compute service list --service ${NOVA_SERVICE} -f json | jq -r '.[] | select(.State == "down") | .ID')
+ for SERVICE_ID in ${DEAD_SERVICE_IDS}; do
+ openstack compute service delete "${SERVICE_ID}"
+ done
+done
diff --git a/charts/nova/templates/bin/_ssh-init.sh.tpl b/charts/nova/templates/bin/_ssh-init.sh.tpl
new file mode 100644
index 0000000..9032933
--- /dev/null
+++ b/charts/nova/templates/bin/_ssh-init.sh.tpl
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+export NOVA_USERNAME=$(id -u ${NOVA_USER_UID} -n)
+export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})
+
+mkdir -p ${NOVA_USER_HOME}/.ssh
+chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
+
+cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
+Host *
+ StrictHostKeyChecking no
+ UserKnownHostsFile /dev/null
+ port $SSH_PORT
+ IdentitiesOnly yes
+EOF
+
+cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
+chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa
diff --git a/charts/nova/templates/bin/_ssh-start.sh.tpl b/charts/nova/templates/bin/_ssh-start.sh.tpl
new file mode 100644
index 0000000..abbf9f0
--- /dev/null
+++ b/charts/nova/templates/bin/_ssh-start.sh.tpl
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+IFS=','
+for KEY_TYPE in $KEY_TYPES; do
+ KEY_PATH=/etc/ssh/ssh_host_${KEY_TYPE}_key
+ if [[ ! -f "${KEY_PATH}" ]]; then
+ ssh-keygen -q -t ${KEY_TYPE} -f ${KEY_PATH} -N ""
+ fi
+done
+IFS=''
+
+subnet_address="{{- .Values.network.ssh.from_subnet -}}"
+cat > /tmp/sshd_config_extend <<EOF
+PasswordAuthentication no
+Match Address $subnet_address
+ PermitRootLogin without-password
+EOF
+cat /tmp/sshd_config_extend >> /etc/ssh/sshd_config
+
+rm /tmp/sshd_config_extend
+
+exec /usr/sbin/sshd -D -e -o Port=$SSH_PORT
diff --git a/charts/nova/templates/bin/_wait-for-computes-init.sh.tpl b/charts/nova/templates/bin/_wait-for-computes-init.sh.tpl
new file mode 100644
index 0000000..ef60bf6
--- /dev/null
+++ b/charts/nova/templates/bin/_wait-for-computes-init.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+{{ .Values.bootstrap.wait_for_computes.scripts.init_script | default "echo 'No wait-for-compute script configured'" }}
diff --git a/charts/nova/templates/certificates.yaml b/charts/nova/templates/certificates.yaml
new file mode 100644
index 0000000..3bf6c8d
--- /dev/null
+++ b/charts/nova/templates/certificates.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{ dict "envAll" . "service" "compute" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- if .Values.manifests.deployment_novncproxy }}
+{{ dict "envAll" . "service" "compute_novnc_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end }}
+{{- if .Values.manifests.deployment_placement }}
+{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end }}
+{{ dict "envAll" . "service" "compute_metadata" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- if .Values.manifests.deployment_spiceproxy }}
+{{ dict "envAll" . "service" "compute_spice_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end }}
+{{- end -}}
diff --git a/charts/nova/templates/configmap-bin.yaml b/charts/nova/templates/configmap-bin.yaml
new file mode 100644
index 0000000..141130a
--- /dev/null
+++ b/charts/nova/templates/configmap-bin.yaml
@@ -0,0 +1,114 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: nova-bin
+data:
+{{- if .Values.conf.enable_iscsi }}
+ iscsiadm: |
+{{ tuple "bin/_iscsiadm.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ multipath: |
+{{ tuple "bin/_multipath.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ multipathd: |
+{{ tuple "bin/_multipathd.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+ bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+ rally-test.sh: |
+{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+ db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+ db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+ ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+ ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+ ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+{{- if .Values.conf.ceph.enabled }}
+ ceph-keyring.sh: |
+{{ tuple "bin/_ceph-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ ceph-admin-keyring.sh: |
+{{ tuple "bin/_ceph-admin-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if .Values.manifests.cron_job_archive_deleted_rows }}
+ archive-deleted-rows.sh: |
+{{ tuple "bin/_db-archive-deleted-row.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+ health-probe.py: |
+{{ tuple "bin/_health-probe.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-api.sh: |
+{{ tuple "bin/_nova-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-api-metadata.sh: |
+{{ tuple "bin/_nova-api-metadata.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-api-metadata-init.sh: |
+{{ tuple "bin/_nova-api-metadata-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-placement-api.sh: |
+{{ tuple "bin/_nova-placement-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-compute.sh: |
+{{ tuple "bin/_nova-compute.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-compute-init.sh: |
+{{ tuple "bin/_nova-compute-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-compute-ironic.sh: |
+{{ tuple "bin/_nova-compute-ironic.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-conductor.sh: |
+{{ tuple "bin/_nova-conductor.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-consoleauth.sh: |
+{{ tuple "bin/_nova-consoleauth.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-scheduler.sh: |
+{{ tuple "bin/_nova-scheduler.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ fake-iptables.sh: |
+{{ tuple "bin/_fake-iptables.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-console-compute-init.sh: |
+{{ tuple "bin/_nova-console-compute-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-console-proxy.sh: |
+{{ tuple "bin/_nova-console-proxy.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-console-proxy-init.sh: |
+{{ tuple "bin/_nova-console-proxy-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-console-proxy-init-assets.sh: |
+{{ tuple "bin/_nova-console-proxy-init-assets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ ssh-init.sh: |
+{{ tuple "bin/_ssh-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ ssh-start.sh: |
+{{ tuple "bin/_ssh-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ cell-setup.sh: |
+{{ tuple "bin/_cell-setup.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ cell-setup-init.sh: |
+{{ tuple "bin/_cell-setup-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ nova-service-cleaner.sh: |
+{{ tuple "bin/_nova-service-cleaner.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+ wait-for-computes-init.sh: |
+{{ tuple "bin/_wait-for-computes-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- if ( has "tungstenfabric" .Values.network.backend ) }}
+ tf-plugin.pth: |
+ /opt/plugin/site-packages
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/configmap-etc.yaml b/charts/nova/templates/configmap-etc.yaml
new file mode 100644
index 0000000..c92fd93
--- /dev/null
+++ b/charts/nova/templates/configmap-etc.yaml
@@ -0,0 +1,294 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "nova.configmap.etc" }}
+{{- $configMapName := index . 0 }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+
+{{- if empty .Values.conf.nova.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "region_name" .Values.endpoints.identity.auth.nova.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "project_name" .Values.endpoints.identity.auth.nova.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.nova.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.nova.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "username" .Values.endpoints.identity.auth.nova.username -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "password" .Values.endpoints.identity.auth.nova.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if .Values.conf.nova.service_user.send_service_user_token -}}
+
+{{- if empty .Values.conf.nova.service_user.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.service_user "auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.service_user.region_name -}}
+{{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.nova.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.service_user.project_name -}}
+{{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.nova.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.service_user.project_domain_name -}}
+{{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.nova.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.service_user.user_domain_name -}}
+{{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.nova.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.service_user.username -}}
+{{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.nova.username -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.service_user.password -}}
+{{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.nova.password -}}
+{{- end -}}
+
+{{- end -}}
+
+{{- if empty .Values.conf.nova.database.connection -}}
+{{- $connection := tuple "oslo_db" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.nova.database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.api_database.connection -}}
+{{- $connection := tuple "oslo_db_api" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.api_database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.nova.api_database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.cell0_database.connection -}}
+{{- $connection := tuple "oslo_db_cell0" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.cell0_database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.nova.cell0_database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "nova" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.nova.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.glance.api_servers -}}
+{{- $_ := tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.glance "api_servers" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.neutron.url -}}
+{{- $_ := tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.neutron "url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.neutron.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.neutron "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.neutron.region_name -}}
+{{- $_ := set .Values.conf.nova.neutron "region_name" .Values.endpoints.identity.auth.neutron.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.neutron.project_name -}}
+{{- $_ := set .Values.conf.nova.neutron "project_name" .Values.endpoints.identity.auth.neutron.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.neutron.project_domain_name -}}
+{{- $_ := set .Values.conf.nova.neutron "project_domain_name" .Values.endpoints.identity.auth.neutron.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.neutron.user_domain_name -}}
+{{- $_ := set .Values.conf.nova.neutron "user_domain_name" .Values.endpoints.identity.auth.neutron.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.neutron.username -}}
+{{- $_ := set .Values.conf.nova.neutron "username" .Values.endpoints.identity.auth.neutron.username -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.neutron.password -}}
+{{- $_ := set .Values.conf.nova.neutron "password" .Values.endpoints.identity.auth.neutron.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.cache.memcache_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.cache "memcache_servers" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.nova.DEFAULT.metadata_host) .Values.endpoints.compute_metadata.ip.ingress -}}
+{{- $_ := set .Values.conf.nova.DEFAULT "metadata_host" .Values.endpoints.compute_metadata.ip.ingress -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.DEFAULT.metadata_port -}}
+{{- $_ := tuple "compute_metadata" "public" "metadata" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.nova.DEFAULT "metadata_port" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.placement.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.nova.placement "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.placement.region_name -}}
+{{- $_ := set .Values.conf.nova.placement "region_name" .Values.endpoints.identity.auth.placement.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.placement.project_name -}}
+{{- $_ := set .Values.conf.nova.placement "project_name" .Values.endpoints.identity.auth.placement.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.placement.project_domain_name -}}
+{{- $_ := set .Values.conf.nova.placement "project_domain_name" .Values.endpoints.identity.auth.placement.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.placement.user_domain_name -}}
+{{- $_ := set .Values.conf.nova.placement "user_domain_name" .Values.endpoints.identity.auth.placement.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.placement.username -}}
+{{- $_ := set .Values.conf.nova.placement "username" .Values.endpoints.identity.auth.placement.username -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.placement.password -}}
+{{- $_ := set .Values.conf.nova.placement "password" .Values.endpoints.identity.auth.placement.password -}}
+{{- end -}}
+
+{{- if eq .Values.console.console_kind "novnc"}}
+{{- $_ := "true" | set .Values.conf.nova.vnc "enabled" -}}
+{{- if empty .Values.conf.nova.vnc.novncproxy_base_url -}}
+{{- $_ := tuple "compute_novnc_proxy" "public" "novnc_proxy" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.vnc "novncproxy_base_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.vnc.novncproxy_port -}}
+{{- $_ := tuple "compute_novnc_proxy" "internal" "novnc_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.nova.vnc "novncproxy_port" -}}
+{{- end -}}
+{{- end -}}
+
+{{- if eq .Values.console.console_kind "spice"}}
+{{- $_ := "false" | set .Values.conf.nova.vnc "enabled" -}}
+{{- $_ := "true" | set .Values.conf.nova.spice "enabled" -}}
+{{- if empty .Values.conf.nova.spice.html5proxy_base_url -}}
+{{- $_ := tuple "compute_spice_proxy" "public" "spice_proxy" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.spice "html5proxy_base_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.spice.html5proxy_port -}}
+{{- $_ := tuple "compute_spice_proxy" "internal" "spice_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.nova.spice "html5proxy_port" -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.ironic.api_endpoint -}}
+{{- $_ := tuple "baremetal" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.ironic "api_endpoint" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.ironic.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.ironic "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.ironic.region_name -}}
+{{- $_ := set .Values.conf.nova.ironic "region_name" .Values.endpoints.identity.auth.ironic.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.ironic.project_name -}}
+{{- $_ := set .Values.conf.nova.ironic "project_name" .Values.endpoints.identity.auth.ironic.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.ironic.project_domain_name -}}
+{{- $_ := set .Values.conf.nova.ironic "project_domain_name" .Values.endpoints.identity.auth.ironic.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.ironic.user_domain_name -}}
+{{- $_ := set .Values.conf.nova.ironic "user_domain_name" .Values.endpoints.identity.auth.ironic.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.ironic.username -}}
+{{- $_ := set .Values.conf.nova.ironic "username" .Values.endpoints.identity.auth.ironic.username -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.ironic.password -}}
+{{- $_ := set .Values.conf.nova.ironic "password" .Values.endpoints.identity.auth.ironic.password -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.ironic.auth_type -}}
+{{- $_ := set .Values.conf.nova.ironic "auth_type" .Values.endpoints.identity.auth.ironic.auth_type -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.ironic.auth_version -}}
+{{- $_ := set .Values.conf.nova.ironic "auth_version" .Values.endpoints.identity.auth.ironic.auth_version -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.ironic.memcache_secret_key -}}
+{{- $_ := (default (randAlphaNum 64) .Values.endpoints.oslo_cache.auth.memcache_secret_key) | set .Values.conf.nova.ironic "memcache_secret_key" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.ironic.memcache_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.ironic "memcache_servers" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.DEFAULT.osapi_compute_listen_port -}}
+{{- $_ := tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.nova.DEFAULT "osapi_compute_listen_port" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+
+{{ $__nova_compute := dict }}
+{{ $_ := set $__nova_compute "config" .Values.conf.nova }}
+{{ range .Values.conf.nova_compute_redactions }}
+{{ $_ := set $__nova_compute "config" (omit $__nova_compute.config .) }}
+{{ end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $configMapName }}
+type: Opaque
+data:
+ rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
+ api-paste.ini: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.paste | b64enc }}
+ policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+ nova_sudoers: {{ $envAll.Values.conf.nova_sudoers | b64enc }}
+ rootwrap.conf: {{ .Values.conf.rootwrap | b64enc }}
+{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+{{- $filePrefix := replace "_" "-" $key }}
+ {{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}
+{{- end }}
+ nova.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova | b64enc }}
+ nova-compute.conf: {{ include "helm-toolkit.utils.to_oslo_conf" $__nova_compute.config | b64enc }}
+ logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+ api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
+ nova-ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova_ironic | b64enc }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-nova-placement.conf" "format" "Secret" ) | indent 2 }}
+{{- if .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_api "key" "wsgi-api.conf" "format" "Secret" ) | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_metadata "key" "wsgi-metadata.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
+{{- if .Values.conf.security }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if .Values.manifests.configmap_etc }}
+{{- list "nova-etc" . | include "nova.configmap.etc" }}
+{{- end }}
diff --git a/charts/nova/templates/cron-job-archive-deleted-rows.yaml b/charts/nova/templates/cron-job-archive-deleted-rows.yaml
new file mode 100644
index 0000000..7baa330
--- /dev/null
+++ b/charts/nova/templates/cron-job-archive-deleted-rows.yaml
@@ -0,0 +1,85 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_job_archive_deleted_rows }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "nova-archive-deleted-rows-cron" }}
+{{ tuple $envAll "archive_deleted_rows" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ name: nova-archive-deleted-rows
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ schedule: {{ .Values.jobs.archive_deleted_rows.cron | quote }}
+ successfulJobsHistoryLimit: {{ .Values.jobs.archive_deleted_rows.history.success }}
+ failedJobsHistoryLimit: {{ .Values.jobs.archive_deleted_rows.history.failed }}
+ {{- if .Values.jobs.archive_deleted_rows.starting_deadline }}
+ startingDeadlineSeconds: {{ .Values.jobs.archive_deleted_rows.starting_deadline }}
+ {{- end }}
+ concurrencyPolicy: Forbid
+ jobTemplate:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "archive-deleted-rows" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "archive-deleted-rows" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "archive_deleted_rows" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "archive-deleted-rows" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+ containers:
+ - name: nova-archive-deleted-rows
+{{ tuple $envAll "nova_archive_deleted_rows" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.archive_deleted_rows | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{ dict "envAll" $envAll "application" "archive_deleted_rows" "container" "nova_archive_deleted_rows" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
+ command:
+ - /tmp/archive-deleted-rows.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: archive-deleted-rows-conf
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ - name: archive-deleted-rows-conf
+ mountPath: /etc/nova/logging.conf
+ subPath: logging.conf
+ readOnly: true
+ - name: archive-deleted-rows
+ mountPath: /tmp/archive-deleted-rows.sh
+ readOnly: true
+ subPath: archive-deleted-rows.sh
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: archive-deleted-rows
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+ - name: archive-deleted-rows-conf
+ secret:
+ secretName: nova-etc
+{{- end }}
diff --git a/charts/nova/templates/cron-job-cell-setup.yaml b/charts/nova/templates/cron-job-cell-setup.yaml
new file mode 100644
index 0000000..18b661a
--- /dev/null
+++ b/charts/nova/templates/cron-job-cell-setup.yaml
@@ -0,0 +1,97 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_job_cell_setup }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "nova-cell-setup-cron" }}
+{{ tuple $envAll "cell_setup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ name: nova-cell-setup
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ schedule: {{ .Values.jobs.cell_setup.cron | quote }}
+ successfulJobsHistoryLimit: {{ .Values.jobs.cell_setup.history.success }}
+ failedJobsHistoryLimit: {{ .Values.jobs.cell_setup.history.failed }}
+ {{- if .Values.jobs.cell_setup.starting_deadline }}
+ startingDeadlineSeconds: {{ .Values.jobs.cell_setup.starting_deadline }}
+ {{- end }}
+ concurrencyPolicy: Forbid
+ jobTemplate:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "cell-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "cell-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cell_setup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "cell_setup" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+ containers:
+ - name: nova-cell-setup
+{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{ dict "envAll" $envAll "application" "cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
+ command:
+ - /tmp/cell-setup.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/cell-setup.sh
+ subPath: cell-setup.sh
+ readOnly: true
+ - name: etcnova
+ mountPath: /etc/nova
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+ - name: nova-etc
+ mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: nova-etc
+ mountPath: /etc/nova/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: etcnova
+ emptyDir: {}
+ - name: nova-etc
+ secret:
+ secretName: nova-etc
+ defaultMode: 0444
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+{{- end }}
diff --git a/charts/nova/templates/cron-job-service-cleaner.yaml b/charts/nova/templates/cron-job-service-cleaner.yaml
new file mode 100644
index 0000000..bbe3fab
--- /dev/null
+++ b/charts/nova/templates/cron-job-service-cleaner.yaml
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_job_service_cleaner }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "nova-service-cleaner" }}
+{{ tuple $envAll "service_cleaner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ name: nova-service-cleaner
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ schedule: {{ .Values.jobs.service_cleaner.cron | quote }}
+ successfulJobsHistoryLimit: {{ .Values.jobs.service_cleaner.history.success }}
+ failedJobsHistoryLimit: {{ .Values.jobs.service_cleaner.history.failed }}
+ {{- if .Values.jobs.service_cleaner.starting_deadline }}
+ startingDeadlineSeconds: {{ .Values.jobs.service_cleaner.starting_deadline }}
+ {{- end }}
+ concurrencyPolicy: Forbid
+ jobTemplate:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "service-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "service-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "service_cleaner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "service_cleaner" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+ containers:
+ - name: nova-service-cleaner
+{{ tuple $envAll "nova_service_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.service_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{ dict "envAll" $envAll "application" "service_cleaner" "container" "nova_service_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova "useCA" .Values.manifests.certificates}}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 14 }}
+{{- end }}
+ command:
+ - /tmp/nova-service-cleaner.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-service-cleaner.sh
+ subPath: nova-service-cleaner.sh
+ readOnly: true
+ - name: etcnova
+ mountPath: /etc/nova
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: etcnova
+ emptyDir: {}
+ - name: nova-etc
+ secret:
+ secretName: nova-etc
+ defaultMode: 0444
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+{{- end }}
diff --git a/charts/nova/templates/daemonset-compute.yaml b/charts/nova/templates/daemonset-compute.yaml
new file mode 100644
index 0000000..e600e58
--- /dev/null
+++ b/charts/nova/templates/daemonset-compute.yaml
@@ -0,0 +1,565 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaComputeLivenessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/nova/nova.conf
+ - --service-queue-name
+ - compute
+ - --liveness-probe
+ {{- if .Values.pod.use_fqdn.compute }}
+ - --use-fqdn
+ {{- end }}
+{{- end }}
+
+{{- define "novaComputeReadinessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/nova/nova.conf
+ - --service-queue-name
+ - compute
+ {{- if .Values.pod.use_fqdn.compute }}
+ - --use-fqdn
+ {{- end }}
+{{- end }}
+
+{{- define "nova.compute.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_nova_compute := .Values.pod.mounts.nova_compute.nova_compute }}
+{{- $mounts_nova_compute_init := .Values.pod.mounts.nova_compute.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: nova-compute
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll $daemonset | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll .Chart.Name $daemonset | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute" "init" "nova-compute-init" "nova-compute-vnc-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ nodeSelector:
+ {{ .Values.labels.agent.compute.node_selector_key }}: {{ .Values.labels.agent.compute.node_selector_value }}
+ hostNetwork: true
+ hostPID: true
+ hostIPC: true
+ dnsPolicy: ClusterFirstWithHostNet
+ initContainers:
+{{ tuple $envAll "pod_dependency" $mounts_nova_compute_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: nova-compute-init
+{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: NOVA_USER_UID
+ value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
+ command:
+ - /tmp/nova-compute-init.sh
+ terminationMessagePath: /var/log/termination-log
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-compute-init.sh
+ subPath: nova-compute-init.sh
+ readOnly: true
+ - name: varlibnova
+ mountPath: /var/lib/nova
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+ {{- if .Values.conf.ceph.enabled }}
+ - name: ceph-perms
+{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "ceph_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - chown
+ - -R
+ - "nova:"
+ - /etc/ceph
+ terminationMessagePath: /var/log/termination-log
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+ {{- if empty .Values.conf.ceph.cinder.keyring }}
+ - name: ceph-admin-keyring-placement
+{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "ceph_admin_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ terminationMessagePath: /var/log/termination-log
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: nova-bin
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty .Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+ {{ end }}
+ - name: ceph-keyring-placement
+{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: CEPH_CINDER_USER
+ value: "{{ .Values.conf.ceph.cinder.user }}"
+ {{- if .Values.conf.ceph.cinder.keyring }}
+ - name: CEPH_CINDER_KEYRING
+ value: "{{ .Values.conf.ceph.cinder.keyring }}"
+ {{ end }}
+ - name: LIBVIRT_CEPH_SECRET_UUID
+ value: "{{ .Values.conf.ceph.secret_uuid }}"
+ command:
+ - /tmp/ceph-keyring.sh
+ terminationMessagePath: /var/log/termination-log
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: nova-bin
+ mountPath: /tmp/ceph-keyring.sh
+ subPath: ceph-keyring.sh
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf.template
+ subPath: ceph.conf
+ readOnly: true
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+ {{ end }}
+ {{- if eq .Values.console.console_kind "novnc"}}
+ - name: nova-compute-vnc-init
+{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_vnc_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/nova-console-compute-init.sh
+ terminationMessagePath: /var/log/termination-log
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-console-compute-init.sh
+ subPath: nova-console-compute-init.sh
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+ {{ end }}
+ {{- if eq .Values.console.console_kind "spice"}}
+ - name: nova-compute-spice-init
+{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_spice_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/nova-console-compute-init.sh
+ terminationMessagePath: /var/log/termination-log
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-console-compute-init.sh
+ subPath: nova-console-compute-init.sh
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+ {{ end }}
+ {{- if ( has "tungstenfabric" .Values.network.backend ) }}
+ - name: tungstenfabric-compute-init
+ image: {{ .Values.images.tags.tf_compute_init }}
+ imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "tungstenfabric_compute_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ volumeMounts:
+ - name: tf-plugin-shared
+ mountPath: /opt/plugin
+ - name: tf-plugin-bin
+ mountPath: /opt/plugin/bin
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+ {{- end }}
+ {{- if .Values.network.ssh.enabled }}
+ - name: nova-compute-ssh-init
+{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ terminationMessagePath: /var/log/termination-log
+ env:
+ - name: SSH_PORT
+ value: {{ .Values.network.ssh.port | quote }}
+ - name: NOVA_USER_UID
+ value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
+ command:
+ - /tmp/ssh-init.sh
+ volumeMounts:
+ - name: varlibnova
+ mountPath: /var/lib/nova
+ - name: nova-ssh
+ mountPath: /tmp/nova-ssh/authorized_keys
+ subPath: public-key
+ - name: nova-ssh
+ mountPath: /tmp/nova-ssh/id_rsa
+ subPath: private-key
+ - name: nova-bin
+ mountPath: /tmp/ssh-init.sh
+ subPath: ssh-init.sh
+ readOnly: true
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+ {{- end }}
+ containers:
+ - name: nova-compute
+{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ {{- if .Values.conf.ceph.enabled }}
+ - name: CEPH_CINDER_USER
+ value: "{{ .Values.conf.ceph.cinder.user }}"
+ {{- if .Values.conf.ceph.cinder.keyring }}
+ - name: CEPH_CINDER_KEYRING
+ value: "{{ .Values.conf.ceph.cinder.keyring }}"
+ {{ end }}
+ - name: LIBVIRT_CEPH_SECRET_UUID
+ value: "{{ .Values.conf.ceph.secret_uuid }}"
+ {{ end }}
+ - name: RPC_PROBE_TIMEOUT
+ value: "{{ .Values.pod.probes.rpc_timeout }}"
+ - name: RPC_PROBE_RETRIES
+ value: "{{ .Values.pod.probes.rpc_retries }}"
+{{- if .Values.manifests.certificates }}
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/nova/certs/ca.crt"
+{{- end }}
+{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "liveness" "probeTemplate" (include "novaComputeLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "readiness" "probeTemplate" (include "novaComputeReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ command:
+ - /tmp/nova-compute.sh
+ terminationMessagePath: /var/log/termination-log
+ volumeMounts:
+ - name: dev-pts
+ mountPath: /dev/pts
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-compute.sh
+ subPath: nova-compute.sh
+ readOnly: true
+ - name: nova-bin
+ mountPath: /tmp/health-probe.py
+ subPath: health-probe.py
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova-compute.conf
+ readOnly: true
+ {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+ - name: nova-etc
+ mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: nova-etc
+ mountPath: /etc/nova/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: nova-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_nova_sudoers
+ subPath: nova_sudoers
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "compute" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/nova/rootwrap.d/%s.filters" $filePrefix }}
+ - name: nova-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ {{- if .Values.conf.ceph.enabled }}
+ - name: etcceph
+ mountPath: /etc/ceph
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: Bidirectional
+ {{- end }}
+ {{- if and ( empty .Values.conf.ceph.cinder.keyring ) ( empty .Values.conf.ceph.admin_keyring )}}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ {{ end }}
+ - mountPath: /lib/modules
+ name: libmodules
+ readOnly: true
+ - name: varlibnova
+ mountPath: /var/lib/nova
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: Bidirectional
+ {{- end }}
+ - name: varliblibvirt
+ mountPath: /var/lib/libvirt
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: Bidirectional
+ {{- end }}
+ - name: run
+ mountPath: /run
+ - name: cgroup
+ mountPath: /sys/fs/cgroup
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: machine-id
+ mountPath: /etc/machine-id
+ readOnly: true
+ {{- if .Values.conf.enable_iscsi }}
+ - name: host-rootfs
+ mountPath: /mnt/host-rootfs
+ mountPropagation: HostToContainer
+ - name: usrlocalsbin
+ mountPath: /usr/local/sbin
+ - name: etciscsi
+ mountPath: /etc/iscsi
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: HostToContainer
+ {{- end }}
+ - name: dev
+ mountPath: /dev
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: HostToContainer
+ {{- end }}
+ - name: nova-bin
+ mountPath: /usr/local/sbin/iscsiadm
+ subPath: iscsiadm
+ - name: runlock
+ mountPath: /run/lock
+ - name: nova-bin
+ mountPath: /usr/local/sbin/multipath
+ subPath: multipath
+ - name: nova-bin
+ mountPath: /usr/local/sbin/multipathd
+ subPath: multipathd
+ - name: etcmultipath
+ mountPath: /etc/multipath
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: Bidirectional
+ {{- end }}
+ - name: sysblock
+ mountPath: /sys/block
+ {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
+ mountPropagation: HostToContainer
+ {{- end }}
+ {{- end }}
+ {{- if ( has "tungstenfabric" .Values.network.backend ) }}
+ - name: tf-plugin-shared
+ mountPath: /opt/plugin
+ readOnly: true
+ - name: tf-plugin-bin
+ mountPath: /usr/sbin
+ readOnly: true
+ - name: nova-bin
+ mountPath: /usr/local/lib/python2.7/site-packages/tf-plugin.pth
+ subPath: tf-plugin.pth
+ readOnly: true
+ - name: nova-bin
+ mountPath: /var/lib/openstack/lib/python2.7/site-packages/tf-plugin.pth
+ subPath: tf-plugin.pth
+ readOnly: true
+ - name: nova-bin
+ mountPath: /var/lib/openstack/lib/python3.6/site-packages/tf-plugin.pth
+ subPath: tf-plugin.pth
+ readOnly: true
+ {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+ {{- if .Values.network.ssh.enabled }}
+ - name: nova-compute-ssh
+{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+ - name: KEY_TYPES
+ value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
+ - name: SSH_PORT
+ value: {{ .Values.network.ssh.port | quote }}
+{{- if .Values.manifests.certificates }}
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/nova/certs/ca.crt"
+{{- end }}
+ ports:
+ - containerPort: {{ .Values.network.ssh.port }}
+ command:
+ - /tmp/ssh-start.sh
+ terminationMessagePath: /var/log/termination-log
+ volumeMounts:
+ - name: varlibnova
+ mountPath: /var/lib/nova
+ - name: nova-bin
+ mountPath: /tmp/ssh-start.sh
+ subPath: ssh-start.sh
+ readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+ - name: nova-etc
+ secret:
+ secretName: {{ $configMapName }}
+ defaultMode: 0444
+ {{- if .Values.network.ssh.enabled }}
+ - name: nova-ssh
+ secret:
+ secretName: nova-ssh
+ defaultMode: 0644
+ {{ end }}
+ {{- if .Values.conf.ceph.enabled }}
+ - name: etcceph
+ hostPath:
+ path: /var/lib/openstack-helm/compute/nova
+ - name: ceph-etc
+ configMap:
+ name: {{ .Values.ceph_client.configmap }}
+ defaultMode: 0444
+ {{- if and ( empty .Values.conf.ceph.cinder.keyring ) ( empty .Values.conf.ceph.admin_keyring ) }}
+ - name: ceph-keyring
+ secret:
+ secretName: {{ .Values.ceph_client.user_secret_name }}
+ {{ end }}
+ {{ end }}
+ - name: dev-pts
+ hostPath:
+ path: /dev/pts
+ - name: libmodules
+ hostPath:
+ path: /lib/modules
+ - name: varlibnova
+ hostPath:
+ path: /var/lib/nova
+ - name: varliblibvirt
+ hostPath:
+ path: /var/lib/libvirt
+ - name: run
+ hostPath:
+ path: /run
+ - name: cgroup
+ hostPath:
+ path: /sys/fs/cgroup
+ - name: pod-shared
+ emptyDir: {}
+ - name: machine-id
+ hostPath:
+ path: /etc/machine-id
+ {{- if .Values.conf.enable_iscsi }}
+ - name: host-rootfs
+ hostPath:
+ path: /
+ - name: runlock
+ hostPath:
+ path: /run/lock
+ - name: etciscsi
+ hostPath:
+ path: /etc/iscsi
+ - name: dev
+ hostPath:
+ path: /dev
+ - name: usrlocalsbin
+ emptyDir: {}
+ - name: etcmultipath
+ hostPath:
+ path: /etc/multipath
+ - name: sysblock
+ hostPath:
+ path: /sys/block
+
+ {{- end }}
+ {{- if ( has "tungstenfabric" .Values.network.backend ) }}
+ - name: tf-plugin-shared
+ emptyDir: {}
+ - name: tf-plugin-bin
+ emptyDir: {}
+ {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_compute }}
+{{- $envAll := . }}
+{{- $daemonset := "compute" }}
+{{- $configMapName := "nova-etc" }}
+{{- $serviceAccountName := "nova-compute" }}
+
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "compute" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "nova.compute.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "nova.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-api-metadata.yaml b/charts/nova/templates/deployment-api-metadata.yaml
new file mode 100644
index 0000000..c663a23
--- /dev/null
+++ b/charts/nova/templates/deployment-api-metadata.yaml
@@ -0,0 +1,204 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaApiMetadataLivenessProbeTemplate" }}
+tcpSocket:
+ port: {{ .Values.network.metadata.port }}
+{{- end }}
+
+{{- define "novaApiMetadataReadinessProbeTemplate" }}
+tcpSocket:
+ port: {{ .Values.network.metadata.port }}
+{{- end }}
+
+{{- if .Values.manifests.deployment_api_metadata }}
+{{- $envAll := . }}
+
+{{- $mounts_nova_api_metadata := .Values.pod.mounts.nova_api_metadata.nova_api_metadata }}
+{{- $mounts_nova_api_metadata_init := .Values.pod.mounts.nova_api_metadata.init_container }}
+
+{{- $serviceAccountName := "nova-api-metadata" }}
+{{ tuple $envAll "api_metadata" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nova-api-metadata
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.api_metadata }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-api-metadata" "containerNames" (list "nova-api-metadata-init" "nova-api" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.api_metadata.node_selector_key }}: {{ .Values.labels.api_metadata.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.metadata.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "api_metadata" $mounts_nova_api_metadata_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: nova-api-metadata-init
+{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_api_metadata_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/nova-api-metadata-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-api-metadata-init.sh
+ subPath: nova-api-metadata-init.sh
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ containers:
+ - name: nova-api
+{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/nova-api-metadata.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/nova-api-metadata.sh
+ - stop
+ ports:
+ - containerPort: {{ .Values.network.metadata.port }}
+{{ dict "envAll" $envAll "component" "api-metadata" "container" "default" "type" "liveness" "probeTemplate" (include "novaApiMetadataLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "api-metadata" "container" "default" "type" "readiness" "probeTemplate" (include "novaApiMetadataReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-api-metadata.sh
+ subPath: nova-api-metadata.sh
+ readOnly: true
+ - name: nova-bin
+ mountPath: /sbin/iptables
+ subPath: fake-iptables.sh
+ readOnly: true
+ - name: nova-bin
+ mountPath: /sbin/iptables-restore
+ subPath: fake-iptables.sh
+ readOnly: true
+ - name: nova-bin
+ mountPath: /sbin/iptables-save
+ subPath: fake-iptables.sh
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+ - name: nova-etc
+ mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: nova-etc
+ mountPath: /etc/nova/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/api_audit_map.conf
+ subPath: api_audit_map.conf
+ readOnly: true
+ - name: nova-etc
+ # NOTE (Portdirect): We mount here to override Kollas
+ # custom sudoers file when using Kolla images, this
+ # location will also work fine for other images.
+ mountPath: /etc/sudoers.d/kolla_nova_sudoers
+ subPath: nova_sudoers
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/rootwrap.conf
+ subPath: rootwrap.conf
+ readOnly: true
+ {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
+ {{- if ( has "metadata" $value.pods ) }}
+ {{- $filePrefix := replace "_" "-" $key }}
+ {{- $rootwrapFile := printf "/etc/nova/rootwrap.d/%s.filters" $filePrefix }}
+ - name: nova-etc
+ mountPath: {{ $rootwrapFile }}
+ subPath: {{ base $rootwrapFile }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ readOnly: true
+ {{- if .Values.manifests.certificates }}
+ - name: wsgi-nova
+ mountPath: /var/www/cgi-bin/nova
+ - name: nova-etc
+ mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-metadata.conf
+ subPath: wsgi-metadata.conf
+ readOnly: true
+ - name: nova-etc
+ mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
+ subPath: mpm_event.conf
+ readOnly: true
+ {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ {{- if .Values.manifests.certificates }}
+ - name: wsgi-nova
+ emptyDir: {}
+ {{- end }}
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+ - name: nova-etc
+ secret:
+ secretName: nova-etc
+ defaultMode: 0444
+ - name: pod-shared
+ emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-api-osapi.yaml b/charts/nova/templates/deployment-api-osapi.yaml
new file mode 100644
index 0000000..41c1faf
--- /dev/null
+++ b/charts/nova/templates/deployment-api-osapi.yaml
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaApiOsapiLivenessProbeTemplate" }}
+tcpSocket:
+ port: {{ tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- define "novaApiOsapiReadinessProbeTemplate" }}
+tcpSocket:
+ port: {{ tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if .Values.manifests.deployment_api_osapi }}
+{{- $envAll := . }}
+
+{{- $mounts_nova_api_osapi := .Values.pod.mounts.nova_api_osapi.nova_api_osapi }}
+{{- $mounts_nova_api_osapi_init := .Values.pod.mounts.nova_api_osapi.init_container }}
+
+{{- $serviceAccountName := "nova-api-osapi" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nova-api-osapi
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.osapi }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-api-osapi" "containerNames" (list "nova-osapi" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.osapi.node_selector_key }}: {{ .Values.labels.osapi.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.osapi.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "api" $mounts_nova_api_osapi_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: nova-osapi
+{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_osapi" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/nova-api.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/nova-api.sh
+ - stop
+ ports:
+ - name: n-api
+ containerPort: {{ tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{ dict "envAll" $envAll "component" "api-osapi" "container" "default" "type" "liveness" "probeTemplate" (include "novaApiOsapiLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "api-osapi" "container" "default" "type" "readiness" "probeTemplate" (include "novaApiOsapiReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: pod-var-nova
+ mountPath: /var/lib/nova
+ - name: nova-bin
+ mountPath: /tmp/nova-api.sh
+ subPath: nova-api.sh
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+ - name: nova-etc
+ mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: nova-etc
+ mountPath: /etc/nova/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/api_audit_map.conf
+ subPath: api_audit_map.conf
+ readOnly: true
+ {{- if .Values.manifests.certificates }}
+ - name: wsgi-nova
+ mountPath: /var/www/cgi-bin/nova
+ - name: nova-etc
+ mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-api.conf
+ subPath: wsgi-api.conf
+ readOnly: true
+ - name: nova-etc
+ mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
+ subPath: mpm_event.conf
+ readOnly: true
+ {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ {{- if .Values.manifests.certificates }}
+ - name: wsgi-nova
+ emptyDir: {}
+ {{- end }}
+ - name: pod-var-nova
+ emptyDir: {}
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+ - name: nova-etc
+ secret:
+ secretName: nova-etc
+ defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-conductor.yaml b/charts/nova/templates/deployment-conductor.yaml
new file mode 100644
index 0000000..5335a4c
--- /dev/null
+++ b/charts/nova/templates/deployment-conductor.yaml
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaConductorLivenessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/nova/nova.conf
+ - --service-queue-name
+ - conductor
+ - --liveness-probe
+{{- end }}
+
+{{- define "novaConductorReadinessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/nova/nova.conf
+ - --service-queue-name
+ - conductor
+{{- end }}
+
+{{- if .Values.manifests.deployment_conductor }}
+{{- $envAll := . }}
+
+{{- $mounts_nova_conductor := .Values.pod.mounts.nova_conductor.nova_conductor }}
+{{- $mounts_nova_conductor_init := .Values.pod.mounts.nova_conductor.init_container }}
+
+{{- $serviceAccountName := "nova-conductor" }}
+{{ tuple $envAll "conductor" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nova-conductor
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "nova" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.conductor }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "nova" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-conductor" "containerNames" (list "nova-conductor" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "nova" "conductor" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.conductor.node_selector_key }}: {{ .Values.labels.conductor.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "conductor" $mounts_nova_conductor_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: nova-conductor
+{{ tuple $envAll "nova_conductor" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_conductor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "conductor" "container" "default" "type" "liveness" "probeTemplate" (include "novaConductorLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "conductor" "container" "default" "type" "readiness" "probeTemplate" (include "novaConductorReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ env:
+ - name: RPC_PROBE_TIMEOUT
+ value: "{{ .Values.pod.probes.rpc_timeout }}"
+ - name: RPC_PROBE_RETRIES
+ value: "{{ .Values.pod.probes.rpc_retries }}"
+{{- if .Values.manifests.certificates }}
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/nova/certs/ca.crt"
+{{- end }}
+ command:
+ - /tmp/nova-conductor.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-conductor.sh
+ subPath: nova-conductor.sh
+ readOnly: true
+ - name: nova-bin
+ mountPath: /tmp/health-probe.py
+ subPath: health-probe.py
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+ - name: nova-etc
+ mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: nova-etc
+ mountPath: /etc/nova/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+ - name: nova-etc
+ secret:
+ secretName: nova-etc
+ defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-consoleauth.yaml b/charts/nova/templates/deployment-consoleauth.yaml
new file mode 100644
index 0000000..c4a781f
--- /dev/null
+++ b/charts/nova/templates/deployment-consoleauth.yaml
@@ -0,0 +1,133 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaConsoleauthLivenessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/nova/nova.conf
+ - --service-queue-name
+ - consoleauth
+ - --liveness-probe
+{{- end }}
+
+{{- define "novaConsoleauthReadinessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/nova/nova.conf
+ - --service-queue-name
+ - consoleauth
+{{- end }}
+
+{{- if .Values.manifests.deployment_consoleauth }}
+{{- $envAll := . }}
+
+{{- $mounts_nova_consoleauth := .Values.pod.mounts.nova_consoleauth.nova_consoleauth }}
+{{- $mounts_nova_consoleauth_init := .Values.pod.mounts.nova_consoleauth.init_container }}
+
+{{- $serviceAccountName := "nova-consoleauth" }}
+{{ tuple $envAll "consoleauth" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nova-consoleauth
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.consoleauth }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-consoleauth" "containerNames" (list "nova-consoleauth" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.consoleauth.node_selector_key }}: {{ .Values.labels.consoleauth.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "consoleauth" $mounts_nova_consoleauth_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: nova-consoleauth
+{{ tuple $envAll "nova_consoleauth" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.consoleauth | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_consoleauth" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "consoleauth" "container" "default" "type" "liveness" "probeTemplate" (include "novaConsoleauthLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "consoleauth" "container" "default" "type" "readiness" "probeTemplate" (include "novaConsoleauthReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ env:
+ - name: RPC_PROBE_TIMEOUT
+ value: "{{ .Values.pod.probes.rpc_timeout }}"
+ - name: RPC_PROBE_RETRIES
+ value: "{{ .Values.pod.probes.rpc_retries }}"
+ command:
+ - /tmp/nova-consoleauth.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-consoleauth.sh
+ subPath: nova-consoleauth.sh
+ readOnly: true
+ - name: nova-bin
+ mountPath: /tmp/health-probe.py
+ subPath: health-probe.py
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+ - name: nova-etc
+ mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: nova-etc
+ mountPath: /etc/nova/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_consoleauth.volumeMounts }}{{ toYaml $mounts_nova_consoleauth.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+ - name: nova-etc
+ secret:
+ secretName: nova-etc
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_consoleauth.volumes }}{{ toYaml $mounts_nova_consoleauth.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-novncproxy.yaml b/charts/nova/templates/deployment-novncproxy.yaml
new file mode 100644
index 0000000..68db32a
--- /dev/null
+++ b/charts/nova/templates/deployment-novncproxy.yaml
@@ -0,0 +1,165 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaNovncproxyLivenessProbeTemplate" }}
+tcpSocket:
+ port: {{ tuple "compute_novnc_proxy" "internal" "novnc_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- define "novaNovncproxyReadinessProbeTemplate" }}
+tcpSocket:
+ port: {{ tuple "compute_novnc_proxy" "internal" "novnc_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if and .Values.manifests.deployment_novncproxy ( eq .Values.console.console_kind "novnc" )}}
+{{- $envAll := . }}
+
+{{- $mounts_nova_novncproxy := .Values.pod.mounts.nova_novncproxy.nova_novncproxy }}
+{{- $mounts_nova_novncproxy_init := .Values.pod.mounts.nova_novncproxy.init_novncproxy }}
+
+{{- $serviceAccountName := "nova-novncproxy" }}
+{{ tuple $envAll "novncproxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nova-novncproxy
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.novncproxy }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-novncproxy" "containerNames" (list "nova-novncproxy" "nova-novncproxy-init-assets" "nova-novncproxy-init" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.novncproxy.node_selector_key }}: {{ .Values.labels.novncproxy.node_selector_value }}
+{{- if .Values.pod.useHostNetwork.novncproxy }}
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+ initContainers:
+{{ tuple $envAll "novncproxy" $mounts_nova_novncproxy_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: nova-novncproxy-init
+{{ tuple $envAll "nova_novncproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_novncproxy_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/nova-console-proxy-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-console-proxy-init.sh
+ subPath: nova-console-proxy-init.sh
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+ - name: nova-etc
+ mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: nova-novncproxy-init-assets
+{{ tuple $envAll "nova_novncproxy_assets" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_novncproxy_init_assests" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/nova-console-proxy-init-assets.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-console-proxy-init-assets.sh
+ subPath: nova-console-proxy-init-assets.sh
+ readOnly: true
+ - name: pod-usr-share-novnc
+ mountPath: /tmp/usr/share/novnc
+ containers:
+ - name: nova-novncproxy
+{{ tuple $envAll "nova_novncproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_novncproxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "novncproxy" "container" "default" "type" "liveness" "probeTemplate" (include "novaNovncproxyLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "novncproxy" "container" "default" "type" "readiness" "probeTemplate" (include "novaNovncproxyReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ command:
+ - /tmp/nova-console-proxy.sh
+ ports:
+ - name: n-novnc
+ containerPort: {{ tuple "compute_novnc_proxy" "internal" "novnc_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-console-proxy.sh
+ subPath: nova-console-proxy.sh
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/logging.conf
+ subPath: logging.conf
+ readOnly: true
+ - name: pod-usr-share-novnc
+ mountPath: /usr/share/novnc
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+ - name: nova-etc
+ secret:
+ secretName: nova-etc
+ defaultMode: 0444
+ - name: pod-usr-share-novnc
+ emptyDir: {}
+ - name: pod-shared
+ emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-placement.yaml b/charts/nova/templates/deployment-placement.yaml
new file mode 100644
index 0000000..1391cd9
--- /dev/null
+++ b/charts/nova/templates/deployment-placement.yaml
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaPlacementLivenessProbeTemplate" }}
+tcpSocket:
+ port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- define "novaPlacementReadinessProbeTemplate" }}
+#NOTE(portdirect): use tcpSocket check as HTTP will return 401
+tcpSocket:
+ port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if .Values.manifests.deployment_placement }}
+{{- $envAll := . }}
+
+{{- $mounts_nova_placement := .Values.pod.mounts.nova_placement.nova_placement }}
+{{- $mounts_nova_placement_init := .Values.pod.mounts.nova_placement.init_container }}
+
+{{- $serviceAccountName := "nova-placement-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nova-placement-api
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.placement }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-placement" "containerNames" (list "nova-placement-api" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.placement.node_selector_key }}: {{ .Values.labels.placement.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.placement.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "api" $mounts_nova_placement_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: nova-placement-api
+{{ tuple $envAll "nova_placement" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.placement | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_placement_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/nova-placement-api.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/nova-placement-api.sh
+ - stop
+ ports:
+ - name: p-api
+ containerPort: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{ dict "envAll" $envAll "component" "placement" "container" "default" "type" "liveness" "probeTemplate" (include "novaPlacementLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "placement" "container" "default" "type" "readiness" "probeTemplate" (include "novaPlacementReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: wsgi-nova
+ mountPath: /var/www/cgi-bin/nova
+ - name: nova-bin
+ mountPath: /tmp/nova-placement-api.sh
+ subPath: nova-placement-api.sh
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+ - name: nova-etc
+ mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: nova-etc
+ mountPath: /etc/nova/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: nova-etc
+ mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-nova-placement.conf
+ subPath: wsgi-nova-placement.conf
+ readOnly: true
+{{- if .Values.conf.security }}
+ - name: nova-etc
+ mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
+ subPath: security.conf
+ readOnly: true
+{{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_placement.volumeMounts }}{{ toYaml $mounts_nova_placement.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: wsgi-nova
+ emptyDir: {}
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+ - name: nova-etc
+ secret:
+ secretName: nova-etc
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_placement.volumes }}{{ toYaml $mounts_nova_placement.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-scheduler.yaml b/charts/nova/templates/deployment-scheduler.yaml
new file mode 100644
index 0000000..b8a465e
--- /dev/null
+++ b/charts/nova/templates/deployment-scheduler.yaml
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaSchedulerLivenessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/nova/nova.conf
+ - --service-queue-name
+ - scheduler
+ - --liveness-probe
+{{- end }}
+
+{{- define "novaSchedulerReadinessProbeTemplate" }}
+exec:
+ command:
+ - python
+ - /tmp/health-probe.py
+ - --config-file
+ - /etc/nova/nova.conf
+ - --service-queue-name
+ - scheduler
+{{- end }}
+
+{{- if .Values.manifests.deployment_scheduler }}
+{{- $envAll := . }}
+
+{{- $mounts_nova_scheduler := .Values.pod.mounts.nova_scheduler.nova_scheduler }}
+{{- $mounts_nova_scheduler_init := .Values.pod.mounts.nova_scheduler.init_container }}
+
+{{- $serviceAccountName := "nova-scheduler" }}
+{{ tuple $envAll "scheduler" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nova-scheduler
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "nova" "scheduler" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.scheduler }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "nova" "scheduler" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "scheduler" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-scheduler" "containerNames" (list "nova-scheduler" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "nova" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.scheduler.node_selector_key }}: {{ .Values.labels.scheduler.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "scheduler" $mounts_nova_scheduler_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: nova-scheduler
+{{ tuple $envAll "nova_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "scheduler" "container" "default" "type" "liveness" "probeTemplate" (include "novaSchedulerLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "scheduler" "container" "default" "type" "readiness" "probeTemplate" (include "novaSchedulerReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ env:
+ - name: RPC_PROBE_TIMEOUT
+ value: "{{ .Values.pod.probes.rpc_timeout }}"
+ - name: RPC_PROBE_RETRIES
+ value: "{{ .Values.pod.probes.rpc_retries }}"
+{{- if .Values.manifests.certificates }}
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/nova/certs/ca.crt"
+{{- end }}
+ command:
+ - /tmp/nova-scheduler.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-scheduler.sh
+ subPath: nova-scheduler.sh
+ readOnly: true
+ - name: nova-bin
+ mountPath: /tmp/health-probe.py
+ subPath: health-probe.py
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+ - name: nova-etc
+ mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: nova-etc
+ mountPath: /etc/nova/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+ - name: nova-etc
+ secret:
+ secretName: nova-etc
+ defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/deployment-spiceproxy.yaml b/charts/nova/templates/deployment-spiceproxy.yaml
new file mode 100644
index 0000000..98046a0
--- /dev/null
+++ b/charts/nova/templates/deployment-spiceproxy.yaml
@@ -0,0 +1,160 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "novaSpiceproxyLivenessProbeTemplate" }}
+tcpSocket:
+ port: {{ tuple "compute_spice_proxy" "internal" "spice_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- define "novaSpiceproxyReadynessProbeTemplate" }}
+tcpSocket:
+ port: {{ tuple "compute_spice_proxy" "internal" "spice_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if and .Values.manifests.deployment_spiceproxy ( eq .Values.console.console_kind "spice" )}}
+{{- $envAll := . }}
+
+{{- $mounts_nova_spiceproxy := .Values.pod.mounts.nova_spiceproxy.nova_spiceproxy }}
+{{- $mounts_nova_spiceproxy_init := .Values.pod.mounts.nova_spiceproxy.init_spiceproxy }}
+
+{{- $serviceAccountName := "nova-spiceproxy" }}
+{{ tuple $envAll "spiceproxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nova-spiceproxy
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "nova" "spice-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.spiceproxy }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "nova" "spice-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "spice-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "nova" "spice-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.spiceproxy.node_selector_key }}: {{ .Values.labels.spiceproxy.node_selector_value }}
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
+ initContainers:
+{{ tuple $envAll "spiceproxy" $mounts_nova_spiceproxy_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: nova-spiceproxy-init
+{{ tuple $envAll "nova_spiceproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_spiceproxy_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/nova-console-proxy-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-console-proxy-init.sh
+ subPath: nova-console-proxy-init.sh
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+ - name: nova-etc
+ mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: nova-spiceproxy-init-assets
+{{ tuple $envAll "nova_spiceproxy_assets" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_spiceproxy_init_assets" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/nova-console-proxy-init-assets.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-console-proxy-init-assets.sh
+ subPath: nova-console-proxy-init-assets.sh
+ readOnly: true
+ - name: pod-usr-share-spice-html5
+ mountPath: /tmp/usr/share/spice-html5
+ containers:
+ - name: nova-spiceproxy
+{{ tuple $envAll "nova_spiceproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_spiceproxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "component" "compute-spice-proxy" "container" "default" "type" "liveness" "probeTemplate" (include "novaSpiceproxyLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "compute-spice-proxy" "container" "default" "type" "readiness" "probeTemplate" (include "novaSpiceproxyReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ command:
+ - /tmp/nova-console-proxy.sh
+ ports:
+ - name: n-spice
+ containerPort: {{ tuple "compute_spice_proxy" "internal" "spice_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-console-proxy.sh
+ subPath: nova-console-proxy.sh
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+ - name: nova-etc
+ mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: pod-usr-share-spice-html5
+ mountPath: /usr/share/spice-html5
+ readOnly: true
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_nova_spiceproxy.volumeMounts }}{{ toYaml $mounts_nova_spiceproxy.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+ - name: nova-etc
+ secret:
+ secretName: nova-etc
+ defaultMode: 0444
+ - name: pod-usr-share-spice-html5
+ emptyDir: {}
+ - name: pod-shared
+ emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_nova_spiceproxy.volumes }}{{ toYaml $mounts_nova_spiceproxy.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/ingress-metadata.yaml b/charts/nova/templates/ingress-metadata.yaml
new file mode 100644
index 0000000..36eb864
--- /dev/null
+++ b/charts/nova/templates/ingress-metadata.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_metadata .Values.network.metadata.ingress.public }}
+{{- $envAll := . -}}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "metadata" "backendServiceType" "compute_metadata" "backendPort" "n-meta" -}}
+{{- $secretName := $envAll.Values.secrets.tls.compute_metadata.metadata.internal -}}
+{{- if and .Values.manifests.certificates $secretName }}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_metadata.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/ingress-novncproxy.yaml b/charts/nova/templates/ingress-novncproxy.yaml
new file mode 100644
index 0000000..cad53cf
--- /dev/null
+++ b/charts/nova/templates/ingress-novncproxy.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_novncproxy .Values.network.novncproxy.ingress.public }}
+{{- $envAll := . }}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" "backendPort" "n-novnc" -}}
+{{- $secretName := $envAll.Values.secrets.tls.compute_novnc_proxy.novncproxy.internal -}}
+{{- if and .Values.manifests.certificates $secretName }}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_novnc_proxy.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end }}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/ingress-osapi.yaml b/charts/nova/templates/ingress-osapi.yaml
new file mode 100644
index 0000000..b78f80f
--- /dev/null
+++ b/charts/nova/templates/ingress-osapi.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_osapi .Values.network.osapi.ingress.public }}
+{{- $envAll := . -}}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "osapi" "backendServiceType" "compute" "backendPort" "n-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.compute.osapi.internal -}}
+{{- if and .Values.manifests.certificates $secretName }}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end }}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/ingress-placement.yaml b/charts/nova/templates/ingress-placement.yaml
new file mode 100644
index 0000000..28b0f0d
--- /dev/null
+++ b/charts/nova/templates/ingress-placement.yaml
@@ -0,0 +1,23 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_placement .Values.network.placement.ingress.public }}
+{{- $envAll := . -}}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "placement" "backendServiceType" "placement" "backendPort" "p-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.placement.placement.internal -}}
+{{- if and .Values.manifests.certificates $secretName }}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.placement.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end }}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/job-bootstrap.yaml b/charts/nova/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..c105f56
--- /dev/null
+++ b/charts/nova/templates/job-bootstrap.yaml
@@ -0,0 +1,140 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- $envAll := . }}
+{{- if and $envAll.Values.manifests.job_bootstrap $envAll.Values.bootstrap.enabled }}
+{{- $serviceName := "nova" -}}
+{{- $keystoneUser := $envAll.Values.bootstrap.ks_user -}}
+{{- $configMapBin := printf "%s-%s" $serviceName "bin" -}}
+{{- $configMapEtc := printf "%s-%s" $serviceName "etc" -}}
+{{- $configFile := printf "/etc/%s/%s.conf" $serviceName $serviceName -}}
+{{- $logConfigFile := $envAll.Values.conf.nova.DEFAULT.log_config_append -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $serviceAccountName := printf "%s-%s" $serviceName "bootstrap" -}}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ $serviceAccountName | quote }}
+ labels:
+{{ tuple $envAll "nova" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+{{ dict "envAll" $envAll "application" "bootstrap" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{- if $envAll.Values.bootstrap.wait_for_computes.enabled }}
+ - name: nova-wait-for-computes-init
+{{ tuple $envAll "nova_wait_for_computes_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "bootstrap" "container" "nova_wait_for_computes_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/wait-for-computes-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/wait-for-computes-init.sh
+ subPath: wait-for-computes-init.sh
+ readOnly: true
+{{- end }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "bootstrap" "container" "bootstrap" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: WAIT_PERCENTAGE
+ value: "{{ .Values.bootstrap.wait_for_computes.wait_percentage }}"
+ - name: REMAINING_WAIT
+ value: "{{ .Values.bootstrap.wait_for_computes.remaining_wait }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - nodes
+ verbs:
+ - get
+ - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: {{ $serviceAccountName }}
+ apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/nova/templates/job-cell-setup.yaml b/charts/nova/templates/job-cell-setup.yaml
new file mode 100644
index 0000000..cdcdf25
--- /dev/null
+++ b/charts/nova/templates/job-cell-setup.yaml
@@ -0,0 +1,149 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_cell_setup }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "nova-cell-setup" }}
+{{ tuple $envAll "cell_setup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: nova-cell-setup
+ labels:
+{{ tuple $envAll "nova" "cell-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "cell-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ dict "envAll" $envAll "podName" "nova-cell-setup" "containerNames" (list "nova-cell-setup-init" "nova-cell-setup" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "cell_setup" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{- if $envAll.Values.bootstrap.wait_for_computes.enabled }}
+ - name: nova-wait-for-computes-init
+{{ tuple $envAll "nova_wait_for_computes_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "bootstrap" "container" "nova_wait_for_computes_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/wait-for-computes-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/wait-for-computes-init.sh
+ subPath: wait-for-computes-init.sh
+ readOnly: true
+{{- end }}
+ - name: nova-cell-setup-init
+{{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ command:
+ - /tmp/cell-setup-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/cell-setup-init.sh
+ subPath: cell-setup-init.sh
+ readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ containers:
+ - name: nova-cell-setup
+{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/cell-setup.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/cell-setup.sh
+ subPath: cell-setup.sh
+ readOnly: true
+ - name: etcnova
+ mountPath: /etc/nova
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+ - name: nova-etc
+ mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: nova-etc
+ mountPath: /etc/nova/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: etcnova
+ emptyDir: {}
+ - name: nova-etc
+ secret:
+ secretName: nova-etc
+ defaultMode: 0444
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ $serviceAccountName }}
+rules:
+ - apiGroups:
+ - ''
+ resources:
+ - nodes
+ verbs:
+ - get
+ - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ $serviceAccountName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $envAll.Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: {{ $serviceAccountName }}
+ apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/nova/templates/job-db-drop.yaml b/charts/nova/templates/job-db-drop.yaml
new file mode 100644
index 0000000..9a6b1a0
--- /dev/null
+++ b/charts/nova/templates/job-db-drop.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $serviceName := "nova" -}}
+{{- $dbSvc := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}}
+{{- $dbApi := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "api_database" "configDbKey" "connection" -}}
+{{- $dbCell := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "cell0_database" "configDbKey" "connection" -}}
+{{- $dbsToDrop := list $dbSvc $dbApi $dbCell }}
+{{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbsToDrop" $dbsToDrop -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/nova/templates/job-db-init.yaml b/charts/nova/templates/job-db-init.yaml
new file mode 100644
index 0000000..b1ca870
--- /dev/null
+++ b/charts/nova/templates/job-db-init.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $serviceName := "nova" -}}
+{{- $dbSvc := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}}
+{{- $dbApi := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "api_database" "configDbKey" "connection" -}}
+{{- $dbCell := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "cell0_database" "configDbKey" "connection" -}}
+{{- $dbsToInit := list $dbSvc $dbApi $dbCell }}
+{{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbsToInit" $dbsToInit -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
+{{- end }}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/nova/templates/job-db-sync.yaml b/charts/nova/templates/job-db-sync.yaml
new file mode 100644
index 0000000..3cd8cac
--- /dev/null
+++ b/charts/nova/templates/job-db-sync.yaml
@@ -0,0 +1,50 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- define "nova.templates._job_db_sync.env_vars" -}}
+{{- $envAll := index . 0 }}
+env:
+ - name: TRANSPORT_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.nova }}
+ key: TRANSPORT_URL
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_db.nova }}
+ key: DB_CONNECTION
+ - name: DB_CONNECTION_CELL0
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_db_cell0.nova }}
+ key: DB_CONNECTION
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $podEnvVars := include "nova.templates._job_db_sync.env_vars" (tuple .) | toString | fromYaml }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "nova" "podVolMounts" .Values.pod.mounts.nova_db_sync.nova_db_sync.volumeMounts "podVols" .Values.pod.mounts.nova_db_sync.nova_db_sync.volumes "podEnvVars" $podEnvVars.env -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
+{{- end }}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/nova/templates/job-image-repo-sync.yaml b/charts/nova/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..fe488dd
--- /dev/null
+++ b/charts/nova/templates/job-image-repo-sync.yaml
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "nova" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
+{{- end }}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/nova/templates/job-ks-endpoints.yaml b/charts/nova/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..5057ebc
--- /dev/null
+++ b/charts/nova/templates/job-ks-endpoints.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
+{{- end }}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/nova/templates/job-ks-placement-endpoints.yaml b/charts/nova/templates/job-ks-placement-endpoints.yaml
new file mode 100644
index 0000000..2147f3c
--- /dev/null
+++ b/charts/nova/templates/job-ks-placement-endpoints.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_ks_placement_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/nova/templates/job-ks-placement-service.yaml b/charts/nova/templates/job-ks-placement-service.yaml
new file mode 100644
index 0000000..c2c8865
--- /dev/null
+++ b/charts/nova/templates/job-ks-placement-service.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_ks_placement_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/nova/templates/job-ks-placement-user.yaml b/charts/nova/templates/job-ks-placement-user.yaml
new file mode 100644
index 0000000..035c2f0
--- /dev/null
+++ b/charts/nova/templates/job-ks-placement-user.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_ks_placement_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "placement" "serviceUser" "placement" "configMapBin" "nova-bin" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
+{{- end -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/nova/templates/job-ks-service.yaml b/charts/nova/templates/job-ks-service.yaml
new file mode 100644
index 0000000..d9eb3b5
--- /dev/null
+++ b/charts/nova/templates/job-ks-service.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
+{{- end }}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/nova/templates/job-ks-user.yaml b/charts/nova/templates/job-ks-user.yaml
new file mode 100644
index 0000000..e5613cc
--- /dev/null
+++ b/charts/nova/templates/job-ks-user.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
+{{- end }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/nova/templates/job-rabbit-init.yaml b/charts/nova/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..ffbb270
--- /dev/null
+++ b/charts/nova/templates/job-rabbit-init.yaml
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "nova" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
+{{- end }}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/nova/templates/netpol-nova.yaml b/charts/nova/templates/netpol-nova.yaml
new file mode 100644
index 0000000..4939aca
--- /dev/null
+++ b/charts/nova/templates/netpol-nova.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "nova" }}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/nova/templates/netpol-placement.yaml b/charts/nova/templates/netpol-placement.yaml
new file mode 100644
index 0000000..18feb04
--- /dev/null
+++ b/charts/nova/templates/netpol-placement.yaml
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- if .Values.manifests.deployment_placement -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "placement" }}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/nova/templates/pdb-metadata.yaml b/charts/nova/templates/pdb-metadata.yaml
new file mode 100644
index 0000000..6fba271
--- /dev/null
+++ b/charts/nova/templates/pdb-metadata.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_metadata }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: nova-api-metadata
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.metadata.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/nova/templates/pdb-osapi.yaml b/charts/nova/templates/pdb-osapi.yaml
new file mode 100644
index 0000000..81971d1
--- /dev/null
+++ b/charts/nova/templates/pdb-osapi.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_osapi }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: nova-api-osapi
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.osapi.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/nova/templates/pdb-placement.yaml b/charts/nova/templates/pdb-placement.yaml
new file mode 100644
index 0000000..db7e1c7
--- /dev/null
+++ b/charts/nova/templates/pdb-placement.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_placement }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ name: nova-placement-api
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.placement.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/nova/templates/pod-rally-test.yaml b/charts/nova/templates/pod-rally-test.yaml
new file mode 100644
index 0000000..eabe8b6
--- /dev/null
+++ b/charts/nova/templates/pod-rally-test.yaml
@@ -0,0 +1,110 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_rally_test }}
+{{- $envAll := . }}
+
+{{- $mounts_tests := .Values.pod.mounts.nova_tests.nova_tests }}
+{{- $mounts_tests_init := .Values.pod.mounts.nova_tests.init_container }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ print $envAll.Release.Name "-test" }}
+ labels:
+{{ tuple $envAll "nova" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ "helm.sh/hook": test-success
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "nova-test" "containerNames" (list "init" "nova-test" "nova-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
+spec:
+ nodeSelector:
+ {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+ restartPolicy: Never
+ serviceAccountName: {{ $serviceAccountName }}
+ initContainers:
+{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+ - name: nova-test-ks-user
+{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+ command:
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: "test"
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: SERVICE_OS_ROLE
+ value: {{ .Values.endpoints.identity.auth.test.role | quote }}
+ containers:
+ - name: nova-test
+{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates}}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
+{{- end }}
+ - name: RALLY_ENV_NAME
+ value: {{.Release.Name}}
+ command:
+ - /tmp/rally-test.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-etc
+ mountPath: /etc/rally/rally_tests.yaml
+ subPath: rally_tests.yaml
+ readOnly: true
+ - name: nova-bin
+ mountPath: /tmp/rally-test.sh
+ subPath: rally-test.sh
+ readOnly: true
+ - name: rally-db
+ mountPath: /var/lib/rally
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: nova-etc
+ secret:
+ secretName: nova-etc
+ defaultMode: 0444
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+ - name: rally-db
+ emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/templates/secret-db-api.yaml b/charts/nova/templates/secret-db-api.yaml
new file mode 100644
index 0000000..baf75b1
--- /dev/null
+++ b/charts/nova/templates/secret-db-api.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db_api }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "nova" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db_api $userClass }}
+{{- $connection := tuple "oslo_db_api" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+ DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+ DB_CONNECTION: {{ $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/secret-db-cell0.yaml b/charts/nova/templates/secret-db-cell0.yaml
new file mode 100644
index 0000000..100b57f
--- /dev/null
+++ b/charts/nova/templates/secret-db-cell0.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db_cell0 }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "nova" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db_cell0 $userClass }}
+{{- $connection := tuple "oslo_db_cell0" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+ DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+ DB_CONNECTION: {{ $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/secret-db.yaml b/charts/nova/templates/secret-db.yaml
new file mode 100644
index 0000000..d9cbf8f
--- /dev/null
+++ b/charts/nova/templates/secret-db.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "nova" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+ DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+ DB_CONNECTION: {{ $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/secret-ingress-tls.yaml b/charts/nova/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..91ec9fa
--- /dev/null
+++ b/charts/nova/templates/secret-ingress-tls.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "osapi" "backendServiceType" "compute" ) }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" ) }}
+{{- if .Values.manifests.ingress_placement }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "placement" "backendServiceType" "placement" ) }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/secret-keystone-placement.yaml b/charts/nova/templates/secret-keystone-placement.yaml
new file mode 100644
index 0000000..bdce9b5
--- /dev/null
+++ b/charts/nova/templates/secret-keystone-placement.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone_placement }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "placement" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/secret-keystone.yaml b/charts/nova/templates/secret-keystone.yaml
new file mode 100644
index 0000000..beddb30
--- /dev/null
+++ b/charts/nova/templates/secret-keystone.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "nova" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/secret-ssh.yaml b/charts/nova/templates/secret-ssh.yaml
new file mode 100644
index 0000000..4811b2e
--- /dev/null
+++ b/charts/nova/templates/secret-ssh.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "nova.configmap.ssh" }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: nova-ssh
+type: Opaque
+data:
+ private-key: {{ .Values.network.ssh.private_key | b64enc }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.network.ssh.public_key "key" "public-key" "format" "Secret" ) | indent 2 }}
+
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- list "nova-ssh" . | include "nova.configmap.ssh" }}
+{{- end }}
diff --git a/charts/nova/templates/secret_rabbitmq.yaml b/charts/nova/templates/secret_rabbitmq.yaml
new file mode 100644
index 0000000..b49f84e
--- /dev/null
+++ b/charts/nova/templates/secret_rabbitmq.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- $rabbitmqProtocol := "http" }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- $rabbitmqProtocol = "https" }}
+{{- end }}
+{{- range $key1, $userClass := tuple "admin" "nova" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+ TRANSPORT_URL: {{ tuple "oslo_messaging" "internal" $userClass "amqp" $envAll | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/nova/templates/service-ingress-metadata.yaml b/charts/nova/templates/service-ingress-metadata.yaml
new file mode 100644
index 0000000..187987d
--- /dev/null
+++ b/charts/nova/templates/service-ingress-metadata.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_metadata .Values.network.metadata.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "compute_metadata" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/service-ingress-novncproxy.yaml b/charts/nova/templates/service-ingress-novncproxy.yaml
new file mode 100644
index 0000000..caae913
--- /dev/null
+++ b/charts/nova/templates/service-ingress-novncproxy.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_novncproxy .Values.network.novncproxy.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "compute_novnc_proxy" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/service-ingress-osapi.yaml b/charts/nova/templates/service-ingress-osapi.yaml
new file mode 100644
index 0000000..44633e3
--- /dev/null
+++ b/charts/nova/templates/service-ingress-osapi.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_osapi .Values.network.osapi.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "compute" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/service-ingress-placement.yaml b/charts/nova/templates/service-ingress-placement.yaml
new file mode 100644
index 0000000..5d9e6a6
--- /dev/null
+++ b/charts/nova/templates/service-ingress-placement.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_placement .Values.network.placement.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "placement" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/nova/templates/service-metadata.yaml b/charts/nova/templates/service-metadata.yaml
new file mode 100644
index 0000000..26eed99
--- /dev/null
+++ b/charts/nova/templates/service-metadata.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_metadata }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "compute_metadata" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: n-meta
+ port: {{ .Values.network.metadata.port }}
+ {{ if .Values.network.metadata.node_port.enabled }}
+ nodePort: {{ .Values.network.metadata.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.metadata.node_port.enabled }}
+ type: NodePort
+ {{ if .Values.network.metadata.external_policy_local }}
+ externalTrafficPolicy: Local
+ {{ end }}
+ {{ end }}
+{{- end }}
diff --git a/charts/nova/templates/service-novncproxy.yaml b/charts/nova/templates/service-novncproxy.yaml
new file mode 100644
index 0000000..9e7eebe
--- /dev/null
+++ b/charts/nova/templates/service-novncproxy.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_novncproxy ( eq .Values.console.console_kind "novnc" ) }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "compute_novnc_proxy" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: n-novnc
+ port: {{ tuple "compute_novnc_proxy" "internal" "novnc_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.novncproxy.node_port.enabled }}
+ nodePort: {{ .Values.network.novncproxy.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.novncproxy.node_port.enabled }}
+ type: NodePort
+ {{ end }}
+{{- end }}
diff --git a/charts/nova/templates/service-osapi.yaml b/charts/nova/templates/service-osapi.yaml
new file mode 100644
index 0000000..91ab52c
--- /dev/null
+++ b/charts/nova/templates/service-osapi.yaml
@@ -0,0 +1,37 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_osapi }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "compute" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: n-api
+ port: {{ tuple "compute" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.osapi.node_port.enabled }}
+ nodePort: {{ .Values.network.osapi.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.osapi.node_port.enabled }}
+ type: NodePort
+ {{ if .Values.network.osapi.external_policy_local }}
+ externalTrafficPolicy: Local
+ {{ end }}
+ {{ end }}
+{{- end }}
diff --git a/charts/nova/templates/service-placement.yaml b/charts/nova/templates/service-placement.yaml
new file mode 100644
index 0000000..8e1f3d5
--- /dev/null
+++ b/charts/nova/templates/service-placement.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_placement }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "placement" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: p-api
+ port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.placement.node_port.enabled }}
+ nodePort: {{ .Values.network.placement.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.placement.node_port.enabled }}
+ type: NodePort
+ {{ end }}
+{{- end }}
diff --git a/charts/nova/templates/service-spiceproxy.yaml b/charts/nova/templates/service-spiceproxy.yaml
new file mode 100644
index 0000000..3507a05
--- /dev/null
+++ b/charts/nova/templates/service-spiceproxy.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_spiceproxy (eq .Values.console.console_kind "spice") }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "compute_spice_proxy" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: n-spice
+ port: {{ tuple "compute_spice_proxy" "internal" "spice_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.spiceproxy.node_port.enabled }}
+ nodePort: {{ .Values.network.spiceproxy.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "nova" "spice-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.spiceproxy.node_port.enabled }}
+ type: NodePort
+ {{ end }}
+{{- end }}
diff --git a/charts/nova/templates/statefulset-compute-ironic.yaml b/charts/nova/templates/statefulset-compute-ironic.yaml
new file mode 100644
index 0000000..377555d
--- /dev/null
+++ b/charts/nova/templates/statefulset-compute-ironic.yaml
@@ -0,0 +1,113 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.statefulset_compute_ironic }}
+{{- $envAll := . }}
+
+{{- $mounts_nova_compute_ironic := .Values.pod.mounts.nova_compute_ironic.nova_compute_ironic }}
+{{- $mounts_nova_compute_ironic_init := .Values.pod.mounts.nova_compute_ironic.init_container }}
+
+{{- $serviceAccountName := "nova-compute-ironic" }}
+{{ tuple $envAll "compute_ironic" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: nova-compute-ironic
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "nova" "compute-ironic" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.compute_ironic }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "nova" "compute-ironic" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+ serviceName: "{{ tuple "baremetal" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}-compute"
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "nova" "compute-ironic" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "nova" "compute-ironic" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.agent.compute_ironic.node_selector_key }}: {{ .Values.labels.agent.compute_ironic.node_selector_value }}
+ securityContext:
+ runAsUser: 0
+ hostPID: true
+ dnsPolicy: ClusterFirstWithHostNet
+ initContainers:
+{{ tuple $envAll "compute_ironic" $mounts_nova_compute_ironic_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: nova-compute-ironic
+{{ tuple $envAll "nova_compute_ironic" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.compute_ironic | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /tmp/nova-compute-ironic.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: nova-bin
+ mountPath: /tmp/nova-compute-ironic.sh
+ subPath: nova-compute-ironic.sh
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/nova.conf
+ subPath: nova.conf
+ readOnly: true
+ {{- if .Values.conf.nova.DEFAULT.log_config_append }}
+ - name: nova-etc
+ mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: nova-etc
+ mountPath: /etc/nova/nova-ironic.conf
+ subPath: nova-ironic.conf
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: nova-etc
+ mountPath: /etc/nova/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: varlibironic
+ mountPath: /var/lib/ironic
+{{ if $mounts_nova_compute_ironic.volumeMounts }}{{ toYaml $mounts_nova_compute_ironic.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: nova-bin
+ configMap:
+ name: nova-bin
+ defaultMode: 0555
+ - name: nova-etc
+ secret:
+ secretName: nova-etc
+ defaultMode: 0444
+ - name: varlibironic
+ hostPath:
+ path: /var/lib/ironic
+{{ if $mounts_nova_compute_ironic.volumes }}{{ toYaml $mounts_nova_compute_ironic.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/nova/values.yaml b/charts/nova/values.yaml
new file mode 100644
index 0000000..7d4c1e5
--- /dev/null
+++ b/charts/nova/values.yaml
@@ -0,0 +1,2619 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for nova.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+labels:
+ agent:
+ compute:
+ node_selector_key: openstack-compute-node
+ node_selector_value: enabled
+ compute_ironic:
+ node_selector_key: openstack-compute-node
+ node_selector_value: enabled
+ api_metadata:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ conductor:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ consoleauth:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ job:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ novncproxy:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ osapi:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ placement:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ scheduler:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ spiceproxy:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ test:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+images:
+ pull_policy: IfNotPresent
+ tags:
+ bootstrap: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ dep_check: 'quay.io/airshipit/kubernetes-entrypoint:v1.0.0'
+ rabbit_init: docker.io/rabbitmq:3.7-management
+ ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ nova_archive_deleted_rows: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+ ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ nova_api: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+ nova_cell_setup: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+ nova_cell_setup_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ nova_compute: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+ nova_compute_ironic: 'docker.io/kolla/ubuntu-source-nova-compute-ironic:ocata'
+ nova_compute_ssh: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+ nova_conductor: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+ nova_consoleauth: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+ nova_db_sync: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+ nova_novncproxy: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+ nova_novncproxy_assets: 'docker.io/kolla/ubuntu-source-nova-novncproxy:ocata'
+ nova_placement: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+ nova_scheduler: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+ # NOTE(portdirect): we simply use the ceph config helper here,
+ # as it has both oscli and jq.
+ nova_service_cleaner: 'docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_xenial'
+ nova_spiceproxy: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+ nova_spiceproxy_assets: docker.io/openstackhelm/nova:stein-ubuntu_bionic
+ test: docker.io/xrally/xrally-openstack:2.0.0
+ image_repo_sync: docker.io/docker:17.07.0
+ nova_wait_for_computes_init: gcr.io/google_containers/hyperkube-amd64:v1.11.6
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+jobs:
+ # NOTE(portdirect): When using cells new nodes will be added to the cell on the hour by default.
+ # TODO(portdirect): Add a post-start action to nova compute pods that registers themselves.
+ cell_setup:
+ cron: "0 */1 * * *"
+ starting_deadline: 600
+ history:
+ success: 3
+ failed: 1
+ extended_wait:
+ enabled: false
+ iteration: 3
+ duration: 5
+ service_cleaner:
+ cron: "0 */1 * * *"
+ starting_deadline: 600
+ history:
+ success: 3
+ failed: 1
+ sleep_time: 60
+ archive_deleted_rows:
+ cron: "0 */1 * * *"
+ starting_deadline: 600
+ history:
+ success: 3
+ failed: 1
+
+bootstrap:
+ enabled: true
+ ks_user: admin
+ script: null
+ structured:
+ flavors:
+ enabled: true
+ options:
+ m1_tiny:
+ name: "m1.tiny"
+ ram: 512
+ disk: 1
+ vcpus: 1
+ m1_small:
+ name: "m1.small"
+ ram: 2048
+ disk: 20
+ vcpus: 1
+ m1_medium:
+ name: "m1.medium"
+ ram: 4096
+ disk: 40
+ vcpus: 2
+ m1_large:
+ name: "m1.large"
+ ram: 8192
+ disk: 80
+ vcpus: 4
+ m1_xlarge:
+ name: "m1.xlarge"
+ ram: 16384
+ disk: 160
+ vcpus: 8
+ wait_for_computes:
+ enabled: false
+ # Wait percentage is the minimum percentage of compute hypervisors which
+ # must be available before the remainder of the bootstrap script can be run.
+ wait_percentage: 70
+ # Once the wait_percentage above is achieved, the remaining_wait is the
+ # amount of time in seconds to wait before executing the remainder of the
+ # boostrap script.
+ remaining_wait: 300
+ scripts:
+ init_script: |
+ # This runs in a bootstrap init container. It counts the number of compute nodes.
+ COMPUTE_NODES=$(kubectl get nodes -o custom-columns=NAME:.metadata.name -l openstack-compute-node=enabled --no-headers | sort)
+ /bin/echo $COMPUTE_NODES > /tmp/compute_nodes.txt
+ wait_script: |
+ # This script runs in the main bootstrap container just before the
+ # bootstrap.script is called.
+ COMPUTE_HOSTS=`cat /tmp/compute_nodes.txt | wc -w`
+ if [[ $COMPUTE_HOSTS == 0 ]]; then
+ echo "There are no compute hosts found!"
+ exit 1
+ fi
+
+ # Wait for all hypervisors to come up before moving on with the deployment
+ HYPERVISOR_WAIT=true
+ WAIT_AFTER_READY=0
+ SLEEP=5
+ while [[ $HYPERVISOR_WAIT == true ]]; do
+ # Its possible that openstack command may fail due to not being able to
+ # reach the compute service
+ set +e
+ HYPERVISORS=$(openstack hypervisor list -f value -c 'Hypervisor Hostname' | wc -w)
+ set -e
+
+ PERCENT_READY=$(( $HYPERVISORS * 100 / $COMPUTE_HOSTS ))
+ if [[ $PERCENT_READY -ge $WAIT_PERCENTAGE ]]; then
+ echo "Hypervisor ready percentage is $PERCENT_READY"
+ if [[ $PERCENT_READY == 100 ]]; then
+ HYPERVISOR_WAIT=false
+ echo "All hypervisors are ready."
+ elif [[ WAIT_AFTER_READY -ge $REMAINING_WAIT ]]; then
+ HYPERVISOR_WAIT=false
+ echo "Waited the configured time -- $HYPERVISORS out of $COMPUTE_HOSTS hypervisor(s) ready -- proceeding with the bootstrap."
+ else
+ sleep $SLEEP
+ WAIT_AFTER_READY=$(( $WAIT_AFTER_READY + $SLEEP ))
+ fi
+ else
+ echo "Waiting $SLEEP seconds for enough hypervisors to be discovered..."
+ sleep $SLEEP
+ fi
+ done
+
+network:
+ # provide what type of network wiring will be used
+ # possible options: openvswitch, linuxbridge, sriov
+ backend:
+ - openvswitch
+ osapi:
+ port: 8774
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ external_policy_local: false
+ node_port:
+ enabled: false
+ port: 30774
+ metadata:
+ port: 8775
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ external_policy_local: false
+ node_port:
+ enabled: false
+ port: 30775
+ placement:
+ port: 8778
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ node_port:
+ enabled: false
+ port: 30778
+ novncproxy:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ node_port:
+ enabled: false
+ port: 30680
+ spiceproxy:
+ node_port:
+ enabled: false
+ port: 30682
+ ssh:
+ enabled: false
+ port: 8022
+ from_subnet: 0.0.0.0/0
+ key_types:
+ - rsa
+ - dsa
+ - ecdsa
+ - ed25519
+ private_key: 'null'
+ public_key: 'null'
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - nova-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ targeted:
+ openvswitch:
+ compute:
+ pod:
+ - requireSameNode: true
+ labels:
+ application: neutron
+ component: neutron-ovs-agent
+ linuxbridge:
+ compute:
+ pod:
+ - requireSameNode: true
+ labels:
+ application: neutron
+ component: neutron-lb-agent
+ sriov:
+ compute:
+ pod:
+ - requireSameNode: true
+ labels:
+ application: neutron
+ component: neutron-sriov-agent
+ static:
+ api:
+ jobs:
+ - nova-db-sync
+ - nova-ks-user
+ - nova-ks-endpoints
+ - nova-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ api_metadata:
+ jobs:
+ - nova-db-sync
+ - nova-ks-user
+ - nova-ks-endpoints
+ - nova-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ bootstrap:
+ services:
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: compute
+ cell_setup:
+ jobs:
+ - nova-db-sync
+ - nova-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: compute
+ pod:
+ - requireSameNode: false
+ labels:
+ application: nova
+ component: compute
+ service_cleaner:
+ jobs:
+ - nova-db-sync
+ - nova-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: compute
+ compute:
+ pod:
+ - requireSameNode: true
+ labels:
+ application: libvirt
+ component: libvirt
+ jobs:
+ - nova-db-sync
+ - nova-rabbit-init
+ - placement-ks-endpoints
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: image
+ - endpoint: internal
+ service: compute
+ - endpoint: internal
+ service: network
+ - endpoint: internal
+ service: compute_metadata
+ compute_ironic:
+ jobs:
+ - nova-db-sync
+ - nova-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: image
+ - endpoint: internal
+ service: compute
+ - endpoint: internal
+ service: network
+ - endpoint: internal
+ service: baremetal
+ conductor:
+ jobs:
+ - nova-db-sync
+ - nova-rabbit-init
+ - placement-ks-endpoints
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: compute
+ consoleauth:
+ jobs:
+ - nova-db-sync
+ - nova-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: compute
+ db_drop:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ archive_deleted_rows:
+ jobs:
+ - nova-db-init
+ - nova-db-sync
+ db_init:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_sync:
+ jobs:
+ - nova-db-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ ks_endpoints:
+ jobs:
+ - nova-ks-service
+ services:
+ - endpoint: internal
+ service: identity
+ ks_service:
+ services:
+ - endpoint: internal
+ service: identity
+ ks_user:
+ services:
+ - endpoint: internal
+ service: identity
+ rabbit_init:
+ services:
+ - service: oslo_messaging
+ endpoint: internal
+ novncproxy:
+ jobs:
+ - nova-db-sync
+ services:
+ - endpoint: internal
+ service: oslo_db
+ spiceproxy:
+ jobs:
+ - nova-db-sync
+ services:
+ - endpoint: internal
+ service: oslo_db
+ scheduler:
+ jobs:
+ - nova-db-sync
+ - nova-rabbit-init
+ - placement-ks-endpoints
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: compute
+ tests:
+ services:
+ - endpoint: internal
+ service: image
+ - endpoint: internal
+ service: compute
+ - endpoint: internal
+ service: network
+ - endpoint: internal
+ service: compute_metadata
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+
+console:
+ # serial | spice | novnc | none
+ console_kind: novnc
+ serial:
+ spice:
+ compute:
+ # IF blank, search default routing interface
+ server_proxyclient_interface:
+ proxy:
+ # IF blank, search default routing interface
+ server_proxyclient_interface:
+ novnc:
+ compute:
+ # IF blank, search default routing interface
+ vncserver_proxyclient_interface:
+ vncproxy:
+ # IF blank, search default routing interface
+ vncserver_proxyclient_interface:
+
+ceph_client:
+ configmap: ceph-etc
+ user_secret_name: pvc-ceph-client-key
+
+conf:
+ security: |
+ #
+ # Disable access to the entire file system except for the directories that
+ # are explicitly allowed later.
+ #
+ # This currently breaks the configurations that come with some web application
+ # Debian packages.
+ #
+ #<Directory />
+ # AllowOverride None
+ # Require all denied
+ #</Directory>
+
+ # Changing the following options will not really affect the security of the
+ # server, but might make attacks slightly more difficult in some cases.
+
+ #
+ # ServerTokens
+ # This directive configures what you return as the Server HTTP response
+ # Header. The default is 'Full' which sends information about the OS-Type
+ # and compiled in modules.
+ # Set to one of: Full | OS | Minimal | Minor | Major | Prod
+ # where Full conveys the most information, and Prod the least.
+ ServerTokens Prod
+
+ #
+ # Optionally add a line containing the server version and virtual host
+ # name to server-generated pages (internal error documents, FTP directory
+ # listings, mod_status and mod_info output etc., but not CGI generated
+ # documents or custom error documents).
+ # Set to "EMail" to also include a mailto: link to the ServerAdmin.
+ # Set to one of: On | Off | EMail
+ ServerSignature Off
+
+ #
+ # Allow TRACE method
+ #
+ # Set to "extended" to also reflect the request body (only for testing and
+ # diagnostic purposes).
+ #
+ # Set to one of: On | Off | extended
+ TraceEnable Off
+
+ #
+ # Forbid access to version control directories
+ #
+ # If you use version control systems in your document root, you should
+ # probably deny access to their directories. For example, for subversion:
+ #
+ #<DirectoryMatch "/\.svn">
+ # Require all denied
+ #</DirectoryMatch>
+
+ #
+ # Setting this header will prevent MSIE from interpreting files as something
+ # else than declared by the content type in the HTTP headers.
+ # Requires mod_headers to be enabled.
+ #
+ #Header set X-Content-Type-Options: "nosniff"
+
+ #
+ # Setting this header will prevent other sites from embedding pages from this
+ # site as frames. This defends against clickjacking attacks.
+ # Requires mod_headers to be enabled.
+ #
+ #Header set X-Frame-Options: "sameorigin"
+ software:
+ apache2:
+ binary: apache2
+ start_parameters: -DFOREGROUND
+ conf_dir: /etc/apache2/conf-enabled
+ site_dir: /etc/apache2/sites-enable
+ mods_dir: /etc/apache2/mods-available
+ a2enmod: null
+ a2dismod: null
+ ceph:
+ enabled: true
+ admin_keyring: null
+ cinder:
+ user: "cinder"
+ keyring: null
+ secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
+ rally_tests:
+ run_tempest: false
+ clean_up: |
+ FLAVORS=$(openstack flavor list -f value --all | awk '$2 ~ /^s_rally_/ { print $1 }')
+ if [ -n "$FLAVORS" ]; then
+ echo $FLAVORS | xargs openstack flavor delete
+ fi
+ SERVERS=$(openstack server list -f value --all | awk '$2 ~ /^s_rally_/ { print $1 }')
+ if [ -n "$SERVERS" ]; then
+ echo $SERVERS | xargs openstack server delete
+ fi
+ IMAGES=$(openstack image list -f value | awk '$2 ~ /^c_rally_/ { print $1 }')
+ if [ -n "$IMAGES" ]; then
+ echo $IMAGES | xargs openstack image delete
+ fi
+ tests:
+ NovaAgents.list_agents:
+ - runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaAggregates.create_and_get_aggregate_details:
+ - args:
+ availability_zone: nova
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaAggregates.create_and_update_aggregate:
+ - args:
+ availability_zone: nova
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaAggregates.list_aggregates:
+ - runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaAvailabilityZones.list_availability_zones:
+ - args:
+ detailed: true
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaFlavors.create_and_delete_flavor:
+ - args:
+ disk: 1
+ ram: 500
+ vcpus: 1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaFlavors.create_and_list_flavor_access:
+ - args:
+ disk: 1
+ ram: 500
+ vcpus: 1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaFlavors.create_flavor:
+ - args:
+ disk: 1
+ ram: 500
+ vcpus: 1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaFlavors.create_flavor_and_add_tenant_access:
+ - args:
+ disk: 1
+ ram: 500
+ vcpus: 1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaFlavors.create_flavor_and_set_keys:
+ - args:
+ disk: 1
+ extra_specs:
+ 'quota:disk_read_bytes_sec': 10240
+ ram: 500
+ vcpus: 1
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaFlavors.list_flavors:
+ - args:
+ detailed: true
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaHypervisors.list_and_get_hypervisors:
+ - args:
+ detailed: true
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaHypervisors.list_and_get_uptime_hypervisors:
+ - args:
+ detailed: true
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaHypervisors.list_and_search_hypervisors:
+ - args:
+ detailed: true
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaHypervisors.list_hypervisors:
+ - args:
+ detailed: true
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaHypervisors.statistics_hypervisors:
+ - args: {}
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaKeypair.create_and_delete_keypair:
+ - runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaKeypair.create_and_list_keypairs:
+ - runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaServerGroups.create_and_list_server_groups:
+ - args:
+ all_projects: false
+ kwargs:
+ policies:
+ - affinity
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ NovaServices.list_services:
+ - runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ paste:
+ composite:metadata:
+ use: egg:Paste#urlmap
+ /: meta
+ pipeline:meta:
+ pipeline: cors metaapp
+ app:metaapp:
+ paste.app_factory: nova.api.metadata.handler:MetadataRequestHandler.factory
+ composite:osapi_compute:
+ use: call:nova.api.openstack.urlmap:urlmap_factory
+ /: oscomputeversions
+ /v2: openstack_compute_api_v21_legacy_v2_compatible
+ /v2.1: openstack_compute_api_v21
+ composite:openstack_compute_api_v21:
+ use: call:nova.api.auth:pipeline_factory_v21
+ noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
+ keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken audit keystonecontext osapi_compute_app_v21
+ composite:openstack_compute_api_v21_legacy_v2_compatible:
+ use: call:nova.api.auth:pipeline_factory_v21
+ noauth2: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
+ keystone: cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken audit keystonecontext legacy_v2_compatible osapi_compute_app_v21
+ filter:request_id:
+ paste.filter_factory: oslo_middleware:RequestId.factory
+ filter:compute_req_id:
+ paste.filter_factory: nova.api.compute_req_id:ComputeReqIdMiddleware.factory
+ filter:faultwrap:
+ paste.filter_factory: nova.api.openstack:FaultWrapper.factory
+ filter:noauth2:
+ paste.filter_factory: nova.api.openstack.auth:NoAuthMiddleware.factory
+ filter:sizelimit:
+ paste.filter_factory: oslo_middleware:RequestBodySizeLimiter.factory
+ filter:http_proxy_to_wsgi:
+ paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+ filter:legacy_v2_compatible:
+ paste.filter_factory: nova.api.openstack:LegacyV2CompatibleWrapper.factory
+ app:osapi_compute_app_v21:
+ paste.app_factory: nova.api.openstack.compute:APIRouterV21.factory
+ pipeline:oscomputeversions:
+ pipeline: faultwrap http_proxy_to_wsgi oscomputeversionapp
+ app:oscomputeversionapp:
+ paste.app_factory: nova.api.openstack.compute.versions:Versions.factory
+ filter:cors:
+ paste.filter_factory: oslo_middleware.cors:filter_factory
+ oslo_config_project: nova
+ filter:keystonecontext:
+ paste.filter_factory: nova.api.auth:NovaKeystoneContext.factory
+ filter:authtoken:
+ paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+ filter:audit:
+ paste.filter_factory: keystonemiddleware.audit:filter_factory
+ audit_map_file: /etc/nova/api_audit_map.conf
+ policy: {}
+ nova_sudoers: |
+ # This sudoers file supports rootwrap for both Kolla and LOCI Images.
+ Defaults !requiretty
+ Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
+ nova ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/nova-rootwrap /etc/nova/rootwrap.conf *, /var/lib/openstack/bin/nova-rootwrap /etc/nova/rootwrap.conf *
+ api_audit_map:
+ DEFAULT:
+ target_endpoint_type: None
+ custom_actions:
+ enable: enable
+ disable: disable
+ delete: delete
+ startup: start/startup
+ shutdown: stop/shutdown
+ reboot: start/reboot
+ os-migrations/get: read
+ os-server-password/post: update
+ path_keywords:
+ add: None
+ action: None
+ enable: None
+ disable: None
+ configure-project: None
+ defaults: None
+ delete: None
+ detail: None
+ diagnostics: None
+ entries: entry
+ extensions: alias
+ flavors: flavor
+ images: image
+ ips: label
+ limits: None
+ metadata: key
+ os-agents: os-agent
+ os-aggregates: os-aggregate
+ os-availability-zone: None
+ os-certificates: None
+ os-cloudpipe: None
+ os-fixed-ips: ip
+ os-extra_specs: key
+ os-flavor-access: None
+ os-floating-ip-dns: domain
+ os-floating-ips-bulk: host
+ os-floating-ip-pools: None
+ os-floating-ips: floating-ip
+ os-hosts: host
+ os-hypervisors: hypervisor
+ os-instance-actions: instance-action
+ os-keypairs: keypair
+ os-migrations: None
+ os-networks: network
+ os-quota-sets: tenant
+ os-security-groups: security_group
+ os-security-group-rules: rule
+ os-server-password: None
+ os-services: None
+ os-simple-tenant-usage: tenant
+ os-virtual-interfaces: None
+ os-volume_attachments: attachment
+ os-volumes_boot: None
+ os-volumes: volume
+ os-volume-types: volume-type
+ os-snapshots: snapshot
+ reboot: None
+ servers: server
+ shutdown: None
+ startup: None
+ statistics: None
+ service_endpoints:
+ compute: service/compute
+ rootwrap: |
+ # Configuration for nova-rootwrap
+ # This file should be owned by (and only-writeable by) the root user
+
+ [DEFAULT]
+ # List of directories to load filter definitions from (separated by ',').
+ # These directories MUST all be only writeable by root !
+ filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
+
+ # List of directories to search executables in, in case filters do not
+ # explicitely specify a full path (separated by ',')
+ # If not specified, defaults to system PATH environment variable.
+ # These directories MUST all be only writeable by root !
+ exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
+
+ # Enable logging to syslog
+ # Default value is False
+ use_syslog=False
+
+ # Which syslog facility to use.
+ # Valid values include auth, authpriv, syslog, local0, local1...
+ # Default value is 'syslog'
+ syslog_log_facility=syslog
+
+ # Which messages to log.
+ # INFO means log all usage
+ # ERROR means only log unsuccessful attempts
+ syslog_log_level=ERROR
+ wsgi_placement: |
+ Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+
+ <VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
+ WSGIDaemonProcess placement-api processes=4 threads=1 user=nova group=nova display-name=%{GROUP}
+ WSGIProcessGroup placement-api
+ WSGIScriptAlias / /var/www/cgi-bin/nova/nova-placement-api
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ <IfVersion >= 2.4>
+ ErrorLogFormat "%{cu}t %M"
+ </IfVersion>
+ ErrorLog /dev/stdout
+
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+ </VirtualHost>
+
+ Alias /placement /var/www/cgi-bin/nova/nova-placement-api
+ <Location /placement>
+ SetHandler wsgi-script
+ Options +ExecCGI
+
+ WSGIProcessGroup placement-api
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ </Location>
+ rootwrap_filters:
+ api_metadata:
+ pods:
+ - metadata
+ content: |
+ # nova-rootwrap command filters for api-metadata nodes
+ # This is needed on nova-api hosts running with "metadata" in enabled_apis
+ # or when running nova-api-metadata
+ # This file should be owned by (and only-writeable by) the root user
+
+ [Filters]
+ # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+ iptables-save: CommandFilter, iptables-save, root
+ ip6tables-save: CommandFilter, ip6tables-save, root
+
+ # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+ iptables-restore: CommandFilter, iptables-restore, root
+ ip6tables-restore: CommandFilter, ip6tables-restore, root
+ compute:
+ pods:
+ - compute
+ content: |
+ # nova-rootwrap command filters for compute nodes
+ # This file should be owned by (and only-writeable by) the root user
+
+ [Filters]
+ # nova/virt/disk/mount/api.py: 'kpartx', '-a', device
+ # nova/virt/disk/mount/api.py: 'kpartx', '-d', device
+ kpartx: CommandFilter, kpartx, root
+
+ # nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path
+ # nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path
+ tune2fs: CommandFilter, tune2fs, root
+
+ # nova/virt/disk/mount/api.py: 'mount', mapped_device
+ # nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target
+ # nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'..
+ # nova/virt/configdrive.py: 'mount', device, mountdir
+ # nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ...
+ mount: CommandFilter, mount, root
+
+ # nova/virt/disk/mount/api.py: 'umount', mapped_device
+ # nova/virt/disk/api.py: 'umount' target
+ # nova/virt/xenapi/vm_utils.py: 'umount', dev_path
+ # nova/virt/configdrive.py: 'umount', mountdir
+ umount: CommandFilter, umount, root
+
+ # nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image
+ # nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device
+ qemu-nbd: CommandFilter, qemu-nbd, root
+
+ # nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image
+ # nova/virt/disk/mount/loop.py: 'losetup', '--detach', device
+ losetup: CommandFilter, losetup, root
+
+ # nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device
+ blkid: CommandFilter, blkid, root
+
+ # nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path
+ # nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
+ blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
+
+ # nova/virt/disk/vfs/localfs.py: 'tee', canonpath
+ tee: CommandFilter, tee, root
+
+ # nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath
+ mkdir: CommandFilter, mkdir, root
+
+ # nova/virt/disk/vfs/localfs.py: 'chown'
+ # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
+ # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
+ # nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk')
+ chown: CommandFilter, chown, root
+
+ # nova/virt/disk/vfs/localfs.py: 'chmod'
+ chmod: CommandFilter, chmod, root
+
+ # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
+ # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
+ # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
+ # nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
+ # nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
+ # nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
+ # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
+ # nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
+ # nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
+ # nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
+ # nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
+ # nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
+ # nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
+ # nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
+ # nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
+ # nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
+ # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
+ # nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
+ # nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
+ # nova/network/linux_net.py: 'ip', 'route', 'add', ..
+ # nova/network/linux_net.py: 'ip', 'route', 'del', .
+ # nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
+ ip: CommandFilter, ip, root
+
+ # nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev
+ # nova/network/linux_net.py: 'tunctl', '-b', '-t', dev
+ tunctl: CommandFilter, tunctl, root
+
+ # nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
+ # nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
+ # nova/network/linux_net.py: 'ovs-vsctl', ....
+ ovs-vsctl: CommandFilter, ovs-vsctl, root
+
+ # nova/virt/libvirt/vif.py: 'vrouter-port-control', ...
+ vrouter-port-control: CommandFilter, vrouter-port-control, root
+
+ # nova/virt/libvirt/vif.py: 'ebrctl', ...
+ ebrctl: CommandFilter, ebrctl, root
+
+ # nova/virt/libvirt/vif.py: 'mm-ctl', ...
+ mm-ctl: CommandFilter, mm-ctl, root
+
+ # nova/network/linux_net.py: 'ovs-ofctl', ....
+ ovs-ofctl: CommandFilter, ovs-ofctl, root
+
+ # nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ...
+ dd: CommandFilter, dd, root
+
+ # nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
+ iscsiadm: CommandFilter, iscsiadm, root
+
+ # nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev
+ # nova/virt/libvirt/volume/aoe.py: 'aoe-discover'
+ aoe-revalidate: CommandFilter, aoe-revalidate, root
+ aoe-discover: CommandFilter, aoe-discover, root
+
+ # nova/virt/xenapi/vm_utils.py: parted, --script, ...
+ # nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*.
+ parted: CommandFilter, parted, root
+
+ # nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path
+ pygrub: CommandFilter, pygrub, root
+
+ # nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s
+ fdisk: CommandFilter, fdisk, root
+
+ # nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path
+ # nova/virt/disk/api.py: e2fsck, -f, -p, image
+ e2fsck: CommandFilter, e2fsck, root
+
+ # nova/virt/xenapi/vm_utils.py: resize2fs, partition_path
+ # nova/virt/disk/api.py: resize2fs, image
+ resize2fs: CommandFilter, resize2fs, root
+
+ # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+ iptables-save: CommandFilter, iptables-save, root
+ ip6tables-save: CommandFilter, ip6tables-save, root
+
+ # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+ iptables-restore: CommandFilter, iptables-restore, root
+ ip6tables-restore: CommandFilter, ip6tables-restore, root
+
+ # nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
+ # nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
+ arping: CommandFilter, arping, root
+
+ # nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
+ dhcp_release: CommandFilter, dhcp_release, root
+
+ # nova/network/linux_net.py: 'kill', '-9', pid
+ # nova/network/linux_net.py: 'kill', '-HUP', pid
+ kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
+
+ # nova/network/linux_net.py: 'kill', pid
+ kill_radvd: KillFilter, root, /usr/sbin/radvd
+
+ # nova/network/linux_net.py: dnsmasq call
+ dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
+
+ # nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
+ radvd: CommandFilter, radvd, root
+
+ # nova/network/linux_net.py: 'brctl', 'addbr', bridge
+ # nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
+ # nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
+ # nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
+ brctl: CommandFilter, brctl, root
+
+ # nova/virt/libvirt/utils.py: 'mkswap'
+ # nova/virt/xenapi/vm_utils.py: 'mkswap'
+ mkswap: CommandFilter, mkswap, root
+
+ # nova/virt/libvirt/utils.py: 'nova-idmapshift'
+ nova-idmapshift: CommandFilter, nova-idmapshift, root
+
+ # nova/virt/xenapi/vm_utils.py: 'mkfs'
+ # nova/utils.py: 'mkfs', fs, path, label
+ mkfs: CommandFilter, mkfs, root
+
+ # nova/virt/libvirt/utils.py: 'qemu-img'
+ qemu-img: CommandFilter, qemu-img, root
+
+ # nova/virt/disk/vfs/localfs.py: 'readlink', '-e'
+ readlink: CommandFilter, readlink, root
+
+ # nova/virt/disk/api.py:
+ mkfs.ext3: CommandFilter, mkfs.ext3, root
+ mkfs.ext4: CommandFilter, mkfs.ext4, root
+ mkfs.ntfs: CommandFilter, mkfs.ntfs, root
+
+ # nova/virt/libvirt/connection.py:
+ lvremove: CommandFilter, lvremove, root
+
+ # nova/virt/libvirt/utils.py:
+ lvcreate: CommandFilter, lvcreate, root
+
+ # nova/virt/libvirt/utils.py:
+ lvs: CommandFilter, lvs, root
+
+ # nova/virt/libvirt/utils.py:
+ vgs: CommandFilter, vgs, root
+
+ # nova/utils.py:read_file_as_root: 'cat', file_path
+ # (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
+ read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
+ read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow
+
+ # os-brick needed commands
+ read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
+ multipath: CommandFilter, multipath, root
+ # multipathd show status
+ multipathd: CommandFilter, multipathd, root
+ systool: CommandFilter, systool, root
+ vgc-cluster: CommandFilter, vgc-cluster, root
+ # os_brick/initiator/connector.py
+ drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
+
+ # TODO(smcginnis) Temporary fix.
+ # Need to pull in os-brick os-brick.filters file instead and clean
+ # out stale brick values from this file.
+ scsi_id: CommandFilter, /lib/udev/scsi_id, root
+ # os_brick.privileged.default oslo.privsep context
+ # This line ties the superuser privs with the config files, context name,
+ # and (implicitly) the actual python code invoked.
+ privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
+
+ # nova/storage/linuxscsi.py: sg_scan device
+ sg_scan: CommandFilter, sg_scan, root
+
+ # nova/volume/encryptors/cryptsetup.py:
+ # nova/volume/encryptors/luks.py:
+ ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/crypt-.+, .+
+
+ # nova/volume/encryptors.py:
+ # nova/virt/libvirt/dmcrypt.py:
+ cryptsetup: CommandFilter, cryptsetup, root
+
+ # nova/virt/xenapi/vm_utils.py:
+ xenstore-read: CommandFilter, xenstore-read, root
+
+ # nova/virt/libvirt/utils.py:
+ rbd: CommandFilter, rbd, root
+
+ # nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path
+ shred: CommandFilter, shred, root
+
+ # nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control..
+ cp: CommandFilter, cp, root
+
+ # nova/virt/xenapi/vm_utils.py:
+ sync: CommandFilter, sync, root
+
+ # nova/virt/libvirt/imagebackend.py:
+ ploop: RegExpFilter, ploop, root, ploop, restore-descriptor, .*
+ prl_disk_tool: RegExpFilter, prl_disk_tool, root, prl_disk_tool, resize, --size, .*M$, --resize_partition, --hdd, .*
+
+ # nova/virt/libvirt/utils.py: 'xend', 'status'
+ xend: CommandFilter, xend, root
+
+ # nova/virt/libvirt/utils.py:
+ touch: CommandFilter, touch, root
+
+ # nova/virt/libvirt/volume/vzstorage.py
+ pstorage-mount: CommandFilter, pstorage-mount, root
+ network:
+ pods:
+ - compute
+ content: |
+ # nova-rootwrap command filters for network nodes
+ # This file should be owned by (and only-writeable by) the root user
+
+ [Filters]
+ # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
+ # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
+ # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
+ # nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
+ # nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
+ # nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
+ # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
+ # nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
+ # nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
+ # nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
+ # nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
+ # nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
+ # nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
+ # nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
+ # nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
+ # nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
+ # nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
+ # nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
+ # nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
+ # nova/network/linux_net.py: 'ip', 'route', 'add', ..
+ # nova/network/linux_net.py: 'ip', 'route', 'del', .
+ # nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
+ ip: CommandFilter, ip, root
+
+ # nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
+ # nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
+ # nova/network/linux_net.py: 'ovs-vsctl', ....
+ ovs-vsctl: CommandFilter, ovs-vsctl, root
+
+ # nova/network/linux_net.py: 'ovs-ofctl', ....
+ ovs-ofctl: CommandFilter, ovs-ofctl, root
+
+ # nova/virt/libvirt/vif.py: 'ivs-ctl', ...
+ # nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ...
+ # nova/network/linux_net.py: 'ivs-ctl', ....
+ ivs-ctl: CommandFilter, ivs-ctl, root
+
+ # nova/virt/libvirt/vif.py: 'ifc_ctl', ...
+ ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root
+
+ # nova/network/linux_net.py: 'ebtables', '-D' ...
+ # nova/network/linux_net.py: 'ebtables', '-I' ...
+ ebtables: CommandFilter, ebtables, root
+ ebtables_usr: CommandFilter, ebtables, root
+
+ # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
+ iptables-save: CommandFilter, iptables-save, root
+ ip6tables-save: CommandFilter, ip6tables-save, root
+
+ # nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
+ iptables-restore: CommandFilter, iptables-restore, root
+ ip6tables-restore: CommandFilter, ip6tables-restore, root
+
+ # nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
+ # nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
+ arping: CommandFilter, arping, root
+
+ # nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
+ dhcp_release: CommandFilter, dhcp_release, root
+
+ # nova/network/linux_net.py: 'kill', '-9', pid
+ # nova/network/linux_net.py: 'kill', '-HUP', pid
+ kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
+
+ # nova/network/linux_net.py: 'kill', pid
+ kill_radvd: KillFilter, root, /usr/sbin/radvd
+
+ # nova/network/linux_net.py: dnsmasq call
+ dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
+
+ # nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
+ radvd: CommandFilter, radvd, root
+
+ # nova/network/linux_net.py: 'brctl', 'addbr', bridge
+ # nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
+ # nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
+ # nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
+ brctl: CommandFilter, brctl, root
+
+ # nova/network/linux_net.py: 'sysctl', ....
+ sysctl: CommandFilter, sysctl, root
+
+ # nova/network/linux_net.py: 'conntrack'
+ conntrack: CommandFilter, conntrack, root
+
+ # nova/network/linux_net.py: 'fp-vdev'
+ fp-vdev: CommandFilter, fp-vdev, root
+ nova_ironic:
+ DEFAULT:
+ scheduler_host_manager: ironic_host_manager
+ compute_driver: ironic.IronicDriver
+ ram_allocation_ratio: 1.0
+ cpu_allocation_ratio: 1.0
+ reserved_host_memory_mb: 0
+ libvirt:
+ # Get the IP address to be used as the target for live migration traffic using interface name.
+ # If this option is set to None, the hostname of the migration target compute node will be used.
+ live_migration_interface:
+ hypervisor:
+ # my_ip can be set automatically through this interface name.
+ host_interface:
+ # This list is the keys to exclude from the config file ingested by nova-compute
+ nova_compute_redactions:
+ - database
+ - api_database
+ - cell0_database
+ nova:
+ DEFAULT:
+ log_config_append: /etc/nova/logging.conf
+ default_ephemeral_format: ext4
+ ram_allocation_ratio: 1.0
+ disk_allocation_ratio: 1.0
+ cpu_allocation_ratio: 3.0
+ state_path: /var/lib/nova
+ osapi_compute_listen: 0.0.0.0
+ # NOTE(portdirect): the bind port should not be defined, and is manipulated
+ # via the endpoints section.
+ osapi_compute_listen_port: null
+ osapi_compute_workers: 1
+ metadata_workers: 1
+ use_neutron: true
+ firewall_driver: nova.virt.firewall.NoopFirewallDriver
+ linuxnet_interface_driver: openvswitch
+ compute_driver: libvirt.LibvirtDriver
+ my_ip: 0.0.0.0
+ instance_usage_audit: True
+ instance_usage_audit_period: hour
+ notify_on_state_change: vm_and_task_state
+ resume_guests_state_on_host_boot: True
+ vnc:
+ novncproxy_host: 0.0.0.0
+ vncserver_listen: 0.0.0.0
+ # This would be set by each compute nodes's ip
+ # server_proxyclient_address: 127.0.0.1
+ spice:
+ html5proxy_host: 0.0.0.0
+ server_listen: 0.0.0.0
+ # This would be set by each compute nodes's ip
+ # server_proxyclient_address: 127.0.0.1
+ conductor:
+ workers: 1
+ oslo_policy:
+ policy_file: /etc/nova/policy.yaml
+ oslo_concurrency:
+ lock_path: /var/lib/nova/tmp
+ oslo_middleware:
+ enable_proxy_headers_parsing: true
+ glance:
+ num_retries: 3
+ ironic:
+ api_endpoint: null
+ auth_url: null
+ neutron:
+ metadata_proxy_shared_secret: "password"
+ service_metadata_proxy: True
+ auth_type: password
+ auth_version: v3
+ database:
+ max_retries: -1
+ api_database:
+ max_retries: -1
+ cell0_database:
+ max_retries: -1
+ keystone_authtoken:
+ auth_type: password
+ auth_version: v3
+ memcache_security_strategy: ENCRYPT
+ service_user:
+ auth_type: password
+ send_service_user_token: false
+ libvirt:
+ connection_uri: "qemu+unix:///system?socket=/run/libvirt/libvirt-sock"
+ images_type: qcow2
+ images_rbd_pool: vms
+ images_rbd_ceph_conf: /etc/ceph/ceph.conf
+ rbd_user: cinder
+ rbd_secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
+ disk_cachemodes: "network=writeback"
+ hw_disk_discard: unmap
+ upgrade_levels:
+ compute: auto
+ cache:
+ enabled: true
+ backend: dogpile.cache.memcached
+ wsgi:
+ api_paste_config: /etc/nova/api-paste.ini
+ oslo_messaging_notifications:
+ driver: messagingv2
+ oslo_messaging_rabbit:
+ rabbit_ha_queues: true
+ placement:
+ auth_type: password
+ auth_version: v3
+ logging:
+ loggers:
+ keys:
+ - root
+ - nova
+ - os.brick
+ handlers:
+ keys:
+ - stdout
+ - stderr
+ - "null"
+ formatters:
+ keys:
+ - context
+ - default
+ logger_root:
+ level: WARNING
+ handlers: 'null'
+ logger_nova:
+ level: INFO
+ handlers:
+ - stdout
+ qualname: nova
+ logger_os.brick:
+ level: INFO
+ handlers:
+ - stdout
+ qualname: os.brick
+ logger_amqp:
+ level: WARNING
+ handlers: stderr
+ qualname: amqp
+ logger_amqplib:
+ level: WARNING
+ handlers: stderr
+ qualname: amqplib
+ logger_eventletwsgi:
+ level: WARNING
+ handlers: stderr
+ qualname: eventlet.wsgi.server
+ logger_sqlalchemy:
+ level: WARNING
+ handlers: stderr
+ qualname: sqlalchemy
+ logger_boto:
+ level: WARNING
+ handlers: stderr
+ qualname: boto
+ handler_null:
+ class: logging.NullHandler
+ formatter: default
+ args: ()
+ handler_stdout:
+ class: StreamHandler
+ args: (sys.stdout,)
+ formatter: context
+ handler_stderr:
+ class: StreamHandler
+ args: (sys.stderr,)
+ formatter: context
+ formatter_context:
+ class: oslo_log.formatters.ContextFormatter
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ formatter_default:
+ format: "%(message)s"
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ rabbitmq:
+ # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
+ policies:
+ - vhost: "nova"
+ name: "ha_ttl_nova"
+ definition:
+ # mirror messges to other nodes in rmq cluster
+ ha-mode: "all"
+ ha-sync-mode: "automatic"
+ # 70s
+ message-ttl: 70000
+ priority: 0
+ apply-to: all
+ pattern: '^(?!(amq\.|reply_)).*'
+ enable_iscsi: false
+ archive_deleted_rows:
+ purge_deleted_rows: false
+ until_completion: true
+ all_cells: false
+ max_rows:
+ enabled: False
+ rows: 1000
+ before:
+ enabled: false
+ date: 'nil'
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: nova-keystone-admin
+ nova: nova-keystone-user
+ placement: nova-keystone-placement
+ test: nova-keystone-test
+ oslo_db:
+ admin: nova-db-admin
+ nova: nova-db-user
+ oslo_db_api:
+ admin: nova-db-api-admin
+ nova: nova-db-api-user
+ oslo_db_cell0:
+ admin: nova-db-cell0-admin
+ nova: nova-db-cell0-user
+ oslo_messaging:
+ admin: nova-rabbitmq-admin
+ nova: nova-rabbitmq-user
+ tls:
+ compute:
+ osapi:
+ public: nova-tls-public
+ internal: nova-tls-api
+ compute_novnc_proxy:
+ novncproxy:
+ public: nova-novncproxy-tls-public
+ internal: nova-novncproxy-tls-proxy
+ placement:
+ placement:
+ public: placement-tls-public
+ internal: placement-tls-api
+ compute_metadata:
+ metadata:
+ public: metadata-tls-public
+ internal: metadata-tls-metadata
+ compute_spice_proxy:
+ spiceproxy:
+ internal: nova-tls-spiceproxy
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ secret:
+ tls:
+ internal: mariadb-tls-direct
+ nova:
+ username: nova
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /nova
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ oslo_db_api:
+ auth:
+ admin:
+ username: root
+ password: password
+ nova:
+ username: nova
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /nova_api
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ oslo_db_cell0:
+ auth:
+ admin:
+ username: root
+ password: password
+ nova:
+ username: nova
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /nova_cell0
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ oslo_messaging:
+ auth:
+ admin:
+ username: rabbitmq
+ password: password
+ secret:
+ tls:
+ internal: rabbitmq-tls-direct
+ nova:
+ username: nova
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /nova
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ http:
+ default: 15672
+ oslo_cache:
+ auth:
+ # NOTE(portdirect): this is used to define the value for keystone
+ # authtoken cache encryption key, if not set it will be populated
+ # automatically with a random value, but to take advantage of
+ # this feature all services should be set to use the same key,
+ # and memcache service.
+ memcache_secret_key: null
+ hosts:
+ default: memcached
+ host_fqdn_override:
+ default: null
+ port:
+ memcache:
+ default: 11211
+ identity:
+ name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ nova:
+ role: admin
+ region_name: RegionOne
+ username: nova
+ password: password
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ # NOTE(portdirect): the neutron user is not managed by the nova chart
+ # these values should match those set in the neutron chart.
+ neutron:
+ region_name: RegionOne
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ username: neutron
+ password: password
+ # NOTE(portdirect): the ironic user is not managed by the nova chart
+ # these values should match those set in the ironic chart.
+ ironic:
+ auth_type: password
+ auth_version: v3
+ region_name: RegionOne
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ username: ironic
+ password: password
+ placement:
+ role: admin
+ region_name: RegionOne
+ username: placement
+ password: password
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ test:
+ role: admin
+ region_name: RegionOne
+ username: nova-test
+ password: password
+ project_name: test
+ user_domain_name: service
+ project_domain_name: service
+ hosts:
+ default: keystone
+ internal: keystone-api
+ host_fqdn_override:
+ default: null
+ path:
+ default: /v3
+ scheme:
+ default: http
+ port:
+ api:
+ default: 80
+ internal: 5000
+ image:
+ name: glance
+ hosts:
+ default: glance-api
+ public: glance
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme:
+ default: http
+ port:
+ api:
+ default: 9292
+ public: 80
+ compute:
+ name: nova
+ hosts:
+ default: nova-api
+ public: nova
+ host_fqdn_override:
+ default: null
+ # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+ # endpoints using the following format:
+ # public:
+ # host: null
+ # tls:
+ # crt: null
+ # key: null
+ path:
+ default: "/v2.1/%(tenant_id)s"
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 8774
+ public: 80
+ novncproxy:
+ default: 6080
+ compute_metadata:
+ name: nova
+ ip:
+ # IF blank, set clusterIP and metadata_host dynamically
+ ingress: null
+ hosts:
+ default: nova-metadata
+ public: metadata
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: 'http'
+ port:
+ metadata:
+ default: 8775
+ public: 80
+ compute_novnc_proxy:
+ name: nova
+ hosts:
+ default: nova-novncproxy
+ public: novncproxy
+ host_fqdn_override:
+ default: null
+ # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+ # endpoints using the following format:
+ # public:
+ # host: null
+ # tls:
+ # crt: null
+ # key: null
+ path:
+ default: /vnc_auto.html
+ scheme:
+ default: 'http'
+ port:
+ novnc_proxy:
+ default: 6080
+ public: 80
+ compute_spice_proxy:
+ name: nova
+ hosts:
+ default: nova-spiceproxy
+ public: placement
+ host_fqdn_override:
+ default: null
+ path:
+ default: /spice_auto.html
+ scheme:
+ default: 'http'
+ port:
+ spice_proxy:
+ default: 6082
+ placement:
+ name: placement
+ hosts:
+ default: placement-api
+ public: placement
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 8778
+ public: 80
+ network:
+ name: neutron
+ hosts:
+ default: neutron-server
+ public: neutron
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 9696
+ public: 80
+ baremetal:
+ name: ironic
+ hosts:
+ default: ironic-api
+ public: ironic
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme:
+ default: http
+ port:
+ api:
+ default: 6385
+ public: 80
+ fluentd:
+ namespace: null
+ name: fluentd
+ hosts:
+ default: fluentd-logging
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: 'http'
+ port:
+ service:
+ default: 24224
+ metrics:
+ default: 24220
+ # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+ # They are using to enable the Egress K8s network policy.
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns:
+ default: 53
+ protocol: UDP
+ ingress:
+ namespace: null
+ name: ingress
+ hosts:
+ default: ingress
+ port:
+ ingress:
+ default: 80
+
+pod:
+ probes:
+ rpc_timeout: 60
+ rpc_retries: 2
+ compute:
+ default:
+ liveness:
+ enabled: True
+ params:
+ initialDelaySeconds: 120
+ periodSeconds: 90
+ timeoutSeconds: 70
+ readiness:
+ enabled: True
+ params:
+ initialDelaySeconds: 80
+ periodSeconds: 90
+ timeoutSeconds: 70
+ api-metadata:
+ default:
+ liveness:
+ enabled: True
+ params:
+ initialDelaySeconds: 30
+ periodSeconds: 60
+ timeoutSeconds: 15
+ readiness:
+ enabled: True
+ params:
+ initialDelaySeconds: 30
+ periodSeconds: 60
+ timeoutSeconds: 15
+ api-osapi:
+ default:
+ liveness:
+ enabled: True
+ params:
+ initialDelaySeconds: 30
+ periodSeconds: 60
+ timeoutSeconds: 15
+ readiness:
+ enabled: True
+ params:
+ initialDelaySeconds: 30
+ periodSeconds: 60
+ timeoutSeconds: 15
+ conductor:
+ default:
+ liveness:
+ enabled: True
+ params:
+ initialDelaySeconds: 120
+ periodSeconds: 90
+ timeoutSeconds: 70
+ readiness:
+ enabled: True
+ params:
+ initialDelaySeconds: 80
+ periodSeconds: 90
+ timeoutSeconds: 70
+ consoleauth:
+ default:
+ liveness:
+ enabled: True
+ params:
+ initialDelaySeconds: 120
+ periodSeconds: 90
+ timeoutSeconds: 70
+ readiness:
+ enabled: True
+ params:
+ initialDelaySeconds: 80
+ periodSeconds: 90
+ timeoutSeconds: 70
+ novncproxy:
+ default:
+ liveness:
+ enabled: True
+ params:
+ initialDelaySeconds: 30
+ periodSeconds: 60
+ timeoutSeconds: 15
+ readiness:
+ enabled: True
+ params:
+ initialDelaySeconds: 30
+ periodSeconds: 60
+ timeoutSeconds: 15
+ placement:
+ default:
+ liveness:
+ enabled: True
+ params:
+ initialDelaySeconds: 50
+ periodSeconds: 30
+ timeoutSeconds: 10
+ readiness:
+ enabled: True
+ params:
+ initialDelaySeconds: 15
+ periodSeconds: 30
+ timeoutSeconds: 10
+ scheduler:
+ default:
+ liveness:
+ enabled: True
+ params:
+ initialDelaySeconds: 120
+ periodSeconds: 90
+ timeoutSeconds: 70
+ readiness:
+ enabled: True
+ params:
+ initialDelaySeconds: 80
+ periodSeconds: 90
+ timeoutSeconds: 70
+ compute-spice-proxy:
+ default:
+ liveness:
+ enabled: True
+ params:
+ initialDelaySeconds: 30
+ periodSeconds: 60
+ timeoutSeconds: 15
+ readiness:
+ enabled: True
+ params:
+ initialDelaySeconds: 30
+ periodSeconds: 60
+ timeoutSeconds: 15
+ security_context:
+ nova:
+ pod:
+ runAsUser: 42424
+ container:
+ nova_compute_init:
+ readOnlyRootFilesystem: true
+ runAsUser: 0
+ tungstenfabric_compute_init:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ ceph_perms:
+ readOnlyRootFilesystem: true
+ runAsUser: 0
+ ceph_admin_keyring_placement:
+ readOnlyRootFilesystem: true
+ ceph_keyring_placement:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_compute_vnc_init:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_compute_spice_init:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_compute:
+ readOnlyRootFilesystem: true
+ privileged: true
+ nova_compute_ssh:
+ privileged: true
+ runAsUser: 0
+ nova_compute_ssh_init:
+ runAsUser: 0
+ nova_api_metadata_init:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_api:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_osapi:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_conductor:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_consoleauth:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_novncproxy_init:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_novncproxy_init_assests:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_novncproxy:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_placement_api:
+ readOnlyRootFilesystem: false
+ allowPrivilegeEscalation: false
+ nova_scheduler:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_spiceproxy_init:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_spiceproxy_init_assets:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_spiceproxy:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ bootstrap:
+ pod:
+ runAsUser: 42424
+ container:
+ nova_wait_for_computes_init:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ bootstrap:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_cell_setup:
+ pod:
+ runAsUser: 42424
+ container:
+ nova_wait_for_computes_init:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_cell_setup_init:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_cell_setup:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ archive_deleted_rows:
+ pod:
+ runAsUser: 42424
+ container:
+ nova_archive_deleted_rows_init:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ nova_archive_deleted_rows:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ cell_setup:
+ pod:
+ runAsUser: 42424
+ container:
+ nova_cell_setup:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ service_cleaner:
+ pod:
+ runAsUser: 42424
+ container:
+ nova_service_cleaner:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ use_fqdn:
+ # NOTE: If the option "host" is not specified in nova.conf, the host name
+ # shown in the hypervisor host is defaulted to the short name of the host.
+ # Setting the option here to true will cause use $(hostname --fqdn) as the
+ # host name by default. If the short name is desired $(hostname --short),
+ # set the option to false. Specifying a host in the nova.conf via the conf:
+ # section will supersede the value of this option.
+ compute: true
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ weight:
+ default: 10
+ mounts:
+ nova_compute:
+ init_container: null
+ nova_compute:
+ volumeMounts:
+ volumes:
+ nova_compute_ironic:
+ init_container: null
+ nova_compute_ironic:
+ volumeMounts:
+ volumes:
+ nova_api_metadata:
+ init_container: null
+ nova_api_metadata:
+ volumeMounts:
+ volumes:
+ nova_placement:
+ init_container: null
+ nova_placement:
+ volumeMounts:
+ volumes:
+ nova_api_osapi:
+ init_container: null
+ nova_api_osapi:
+ volumeMounts:
+ volumes:
+ nova_consoleauth:
+ init_container: null
+ nova_consoleauth:
+ volumeMounts:
+ volumes:
+ nova_conductor:
+ init_container: null
+ nova_conductor:
+ volumeMounts:
+ volumes:
+ nova_scheduler:
+ init_container: null
+ nova_scheduler:
+ volumeMounts:
+ volumes:
+ nova_bootstrap:
+ init_container: null
+ nova_bootstrap:
+ volumeMounts:
+ volumes:
+ nova_tests:
+ init_container: null
+ nova_tests:
+ volumeMounts:
+ volumes:
+ nova_novncproxy:
+ init_novncproxy: null
+ nova_novncproxy:
+ volumeMounts:
+ volumes:
+ nova_spiceproxy:
+ init_spiceproxy: null
+ nova_spiceproxy:
+ volumeMounts:
+ volumes:
+ nova_db_sync:
+ nova_db_sync:
+ volumeMounts:
+ volumes:
+ useHostNetwork:
+ novncproxy: true
+ replicas:
+ api_metadata: 1
+ compute_ironic: 1
+ placement: 1
+ osapi: 1
+ conductor: 1
+ consoleauth: 1
+ scheduler: 1
+ novncproxy: 1
+ spiceproxy: 1
+ lifecycle:
+ upgrades:
+ deployments:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+ daemonsets:
+ pod_replacement_strategy: RollingUpdate
+ compute:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ disruption_budget:
+ metadata:
+ min_available: 0
+ placement:
+ min_available: 0
+ osapi:
+ min_available: 0
+ termination_grace_period:
+ metadata:
+ timeout: 30
+ placement:
+ timeout: 30
+ osapi:
+ timeout: 30
+ resources:
+ enabled: false
+ compute:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ compute_ironic:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ api_metadata:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ placement:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ conductor:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ consoleauth:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ scheduler:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ssh:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ novncproxy:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ spiceproxy:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ bootstrap:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ rabbit_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ archive_deleted_rows:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_drop:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_endpoints:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_service:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_user:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ tests:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ cell_setup:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ service_cleaner:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+
+network_policy:
+ nova:
+ # TODO(lamt): Need to tighten this ingress for security.
+ ingress:
+ - {}
+ egress:
+ - {}
+ placement:
+ # TODO(lamt): Need to tighten this ingress for security.
+ ingress:
+ - {}
+ egress:
+ - {}
+
+# NOTE(helm_hook): helm_hook might break for helm2 binary.
+# set helm3_hook: false when using the helm2 binary.
+helm3_hook: true
+
+health_probe:
+ logging:
+ level: ERROR
+
+manifests:
+ certificates: false
+ configmap_bin: true
+ configmap_etc: true
+ cron_job_cell_setup: true
+ cron_job_service_cleaner: true
+ cron_job_archive_deleted_rows: false
+ daemonset_compute: true
+ deployment_api_metadata: true
+ deployment_api_osapi: true
+ deployment_placement: true
+ deployment_conductor: true
+ deployment_consoleauth: true
+ deployment_novncproxy: true
+ deployment_spiceproxy: true
+ deployment_scheduler: true
+ ingress_metadata: true
+ ingress_novncproxy: true
+ ingress_placement: true
+ ingress_osapi: true
+ job_bootstrap: true
+ job_db_init: true
+ job_db_init_placement: true
+ job_db_sync: true
+ job_db_drop: false
+ job_image_repo_sync: true
+ job_rabbit_init: true
+ job_ks_endpoints: true
+ job_ks_service: true
+ job_ks_user: true
+ job_ks_placement_endpoints: true
+ job_ks_placement_service: true
+ job_ks_placement_user: true
+ job_cell_setup: true
+ pdb_metadata: true
+ pdb_placement: true
+ pdb_osapi: true
+ pod_rally_test: true
+ network_policy: false
+ secret_db_api: true
+ secret_db_cell0: true
+ secret_db: true
+ secret_ingress_tls: true
+ secret_keystone: true
+ secret_keystone_placement: true
+ secret_rabbitmq: true
+ service_ingress_metadata: true
+ service_ingress_novncproxy: true
+ service_ingress_placement: true
+ service_ingress_osapi: true
+ service_metadata: true
+ service_placement: true
+ service_novncproxy: true
+ service_spiceproxy: true
+ service_osapi: true
+ statefulset_compute_ironic: false
+...
diff --git a/charts/octavia/Chart.yaml b/charts/octavia/Chart.yaml
new file mode 100644
index 0000000..a685d8c
--- /dev/null
+++ b/charts/octavia/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Octavia
+home: https://docs.openstack.org/octavia/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Octavia/OpenStack_Project_Octavia_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: octavia
+sources:
+- https://opendev.org/openstack/octavia
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.5
diff --git a/charts/octavia/charts/helm-toolkit/Chart.yaml b/charts/octavia/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..d90280e
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.44
diff --git a/charts/octavia/charts/helm-toolkit/requirements.yaml b/charts/octavia/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/octavia/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..7846895
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,729 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network.server.ingress -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a authenticating a registry with a secret
+examples:
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/octavia/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..516d79e
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,514 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+ local A_FILE="$1"
+ awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f fd ]]; then
+ rm -f fd
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ fi
+ done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ get_backup_prefix $(cat $DB_BACKUP_FILES)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+ remove_old_remote_archives
+ done
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f8-
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+ - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/octavia/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/octavia/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_template.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/octavia/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/octavia/charts/helm-toolkit/values.yaml b/charts/octavia/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/octavia/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/octavia/requirements.lock b/charts/octavia/requirements.lock
new file mode 100644
index 0000000..ce130a4
--- /dev/null
+++ b/charts/octavia/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: 0.2.44
+digest: sha256:d3a834e34152bf30319ac30e116adc128b474ca63bbbe0fb323a7a2365a56455
+generated: "2022-08-10T23:42:45.910611816Z"
diff --git a/charts/octavia/requirements.yaml b/charts/octavia/requirements.yaml
new file mode 100644
index 0000000..512dcb4
--- /dev/null
+++ b/charts/octavia/requirements.yaml
@@ -0,0 +1,18 @@
+# Copyright 2019 Samsung Electronics Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: ">= 0.1.0"
diff --git a/charts/octavia/templates/bin/_bootstrap.sh.tpl b/charts/octavia/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..98d1b37
--- /dev/null
+++ b/charts/octavia/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/octavia/templates/bin/_db-sync.sh.tpl b/charts/octavia/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..ae7e3c8
--- /dev/null
+++ b/charts/octavia/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+octavia-db-manage upgrade head
diff --git a/charts/octavia/templates/bin/_octavia-api.sh.tpl b/charts/octavia/templates/bin/_octavia-api.sh.tpl
new file mode 100644
index 0000000..9e32268
--- /dev/null
+++ b/charts/octavia/templates/bin/_octavia-api.sh.tpl
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ exec octavia-api \
+ --config-file /etc/octavia/octavia.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/octavia/templates/bin/_octavia-health-manager-get-port.sh.tpl b/charts/octavia/templates/bin/_octavia-health-manager-get-port.sh.tpl
new file mode 100644
index 0000000..fbe8f6a
--- /dev/null
+++ b/charts/octavia/templates/bin/_octavia-health-manager-get-port.sh.tpl
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+HOSTNAME=$(hostname -s)
+PORTNAME=octavia-health-manager-port-$HOSTNAME
+
+HM_PORT_ID=$(openstack port show $PORTNAME -c id -f value)
+HM_PORT_MAC=$(openstack port show $PORTNAME -c mac_address -f value)
+
+echo $HM_PORT_ID > /tmp/pod-shared/HM_PORT_ID
+echo $HM_PORT_MAC > /tmp/pod-shared/HM_PORT_MAC
diff --git a/charts/octavia/templates/bin/_octavia-health-manager-nic-init.sh.tpl b/charts/octavia/templates/bin/_octavia-health-manager-nic-init.sh.tpl
new file mode 100644
index 0000000..0317c3d
--- /dev/null
+++ b/charts/octavia/templates/bin/_octavia-health-manager-nic-init.sh.tpl
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+HM_PORT_ID=$(cat /tmp/pod-shared/HM_PORT_ID)
+HM_PORT_MAC=$(cat /tmp/pod-shared/HM_PORT_MAC)
+
+ovs-vsctl --no-wait show
+
+ovs-vsctl --may-exist add-port br-int o-hm0 \
+ -- set Interface o-hm0 type=internal \
+ -- set Interface o-hm0 external-ids:iface-status=active \
+ -- set Interface o-hm0 external-ids:attached-mac=$HM_PORT_MAC \
+ -- set Interface o-hm0 external-ids:iface-id=$HM_PORT_ID \
+ -- set Interface o-hm0 external-ids:skip_cleanup=true
+
+ip link set dev o-hm0 address $HM_PORT_MAC
+
+iptables -I INPUT -i o-hm0 -p udp --dport {{ .Values.conf.octavia.health_manager.bind_port }} -j ACCEPT
diff --git a/charts/octavia/templates/bin/_octavia-health-manager.sh.tpl b/charts/octavia/templates/bin/_octavia-health-manager.sh.tpl
new file mode 100644
index 0000000..3a42066
--- /dev/null
+++ b/charts/octavia/templates/bin/_octavia-health-manager.sh.tpl
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ cat > /tmp/dhclient.conf <<EOF
+request subnet-mask,broadcast-address,interface-mtu;
+do-forward-updates false;
+EOF
+
+ dhclient -v o-hm0 -cf /tmp/dhclient.conf
+
+ exec octavia-health-manager \
+ --config-file /etc/octavia/octavia.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/octavia/templates/bin/_octavia-housekeeping.sh.tpl b/charts/octavia/templates/bin/_octavia-housekeeping.sh.tpl
new file mode 100644
index 0000000..a4cd2f0
--- /dev/null
+++ b/charts/octavia/templates/bin/_octavia-housekeeping.sh.tpl
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ exec octavia-housekeeping \
+ --config-file /etc/octavia/octavia.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/octavia/templates/bin/_octavia-worker.sh.tpl b/charts/octavia/templates/bin/_octavia-worker.sh.tpl
new file mode 100644
index 0000000..f612ff3
--- /dev/null
+++ b/charts/octavia/templates/bin/_octavia-worker.sh.tpl
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ exec octavia-worker \
+ --config-file /etc/octavia/octavia.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/octavia/templates/configmap-bin.yaml b/charts/octavia/templates/configmap-bin.yaml
new file mode 100644
index 0000000..be9a95d
--- /dev/null
+++ b/charts/octavia/templates/configmap-bin.yaml
@@ -0,0 +1,62 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: octavia-bin
+data:
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+ bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+ rally-test.sh: |
+{{ tuple $rallyTests | include "helm-toolkit.scripts.rally_test" | indent 4 }}
+ db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+ db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+ ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+ ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+ ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+ octavia-api.sh: |
+{{ tuple "bin/_octavia-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ octavia-health-manager.sh: |
+{{ tuple "bin/_octavia-health-manager.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ octavia-health-manager-nic-init.sh: |
+{{ tuple "bin/_octavia-health-manager-nic-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ octavia-health-manager-get-port.sh: |
+{{ tuple "bin/_octavia-health-manager-get-port.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ octavia-housekeeping.sh: |
+{{ tuple "bin/_octavia-housekeeping.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ octavia-worker.sh: |
+{{ tuple "bin/_octavia-worker.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+{{- end }}
diff --git a/charts/octavia/templates/configmap-etc.yaml b/charts/octavia/templates/configmap-etc.yaml
new file mode 100644
index 0000000..8d3a653
--- /dev/null
+++ b/charts/octavia/templates/configmap-etc.yaml
@@ -0,0 +1,117 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "octavia.configmap.etc" }}
+{{- $configMapName := index . 0 }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+
+{{- if empty .Values.conf.octavia.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.octavia.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.octavia.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "region_name" .Values.endpoints.identity.auth.octavia.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "project_name" .Values.endpoints.identity.auth.octavia.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.octavia.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.octavia.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "username" .Values.endpoints.identity.auth.octavia.username -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "password" .Values.endpoints.identity.auth.octavia.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.octavia.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.service_auth.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.octavia.service_auth "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.service_auth.project_name -}}
+{{- $_ := set .Values.conf.octavia.service_auth "project_name" .Values.endpoints.identity.auth.admin.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.service_auth.project_domain_name -}}
+{{- $_ := set .Values.conf.octavia.service_auth "project_domain_name" .Values.endpoints.identity.auth.admin.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.service_auth.user_domain_name -}}
+{{- $_ := set .Values.conf.octavia.service_auth "user_domain_name" .Values.endpoints.identity.auth.admin.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.service_auth.username -}}
+{{- $_ := set .Values.conf.octavia.service_auth "username" .Values.endpoints.identity.auth.admin.username -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.service_auth.password -}}
+{{- $_ := set .Values.conf.octavia.service_auth "password" .Values.endpoints.identity.auth.admin.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.service_auth.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.octavia.service_auth "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.octavia.service_auth.memcache_secret_key -}}
+{{- $_ := set .Values.conf.octavia.service_auth "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.database.connection -}}
+{{- $_ := tuple "oslo_db" "internal" "octavia" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.octavia.database "connection" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.octavia.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "octavia" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.octavia.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $configMapName }}
+type: Opaque
+data:
+ octavia.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.octavia | b64enc }}
+ logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- list "octavia-etc" . | include "octavia.configmap.etc" }}
+{{- end }}
diff --git a/charts/octavia/templates/daemonset-health-manager.yaml b/charts/octavia/templates/daemonset-health-manager.yaml
new file mode 100644
index 0000000..a355e86
--- /dev/null
+++ b/charts/octavia/templates/daemonset-health-manager.yaml
@@ -0,0 +1,161 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "octavia.health_manager.daemonset" }}
+{{- $daemonset := index . 0 }}
+{{- $configMapName := index . 1 }}
+{{- $serviceAccountName := index . 2 }}
+{{- $envAll := index . 3 }}
+{{- with $envAll }}
+
+{{- $mounts_octavia_health_manager := .Values.pod.mounts.octavia_health_manager.octavia_health_manager }}
+{{- $mounts_octavia_health_manager_init := .Values.pod.mounts.octavia_health_manager.init_container }}
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: octavia-health-manager
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "octavia" "health_manager" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll "octavia" "health_manager" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "health_manager" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "octavia" "health_manager" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ dnsPolicy: ClusterFirstWithHostNet
+ hostNetwork: true
+ hostPID: true
+ nodeSelector:
+ {{ .Values.labels.health_manager.node_selector_key }}: {{ .Values.labels.health_manager.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "health_manager" $mounts_octavia_health_manager_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: octavia-health-manager-get-port
+{{ tuple $envAll "octavia_health_manager_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.health_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity "admin" ) }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ command:
+ - /tmp/octavia-health-manager-get-port.sh
+ volumeMounts:
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: octavia-bin
+ mountPath: /tmp/octavia-health-manager-get-port.sh
+ subPath: octavia-health-manager-get-port.sh
+ readOnly: true
+ - name: octavia-health-manager-nic-init
+{{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.health_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ securityContext:
+ runAsUser: 0
+ capabilities:
+ add:
+ - NET_ADMIN
+ command:
+ - /tmp/octavia-health-manager-nic-init.sh
+ volumeMounts:
+ - name: pod-shared
+ mountPath: /tmp/pod-shared
+ - name: octavia-bin
+ mountPath: /tmp/octavia-health-manager-nic-init.sh
+ subPath: octavia-health-manager-nic-init.sh
+ readOnly: true
+ - name: run
+ mountPath: /run
+ containers:
+ - name: octavia-health-manager
+{{ tuple $envAll "octavia_health_manager" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.health_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ securityContext:
+ runAsUser: 0
+ capabilities:
+ add:
+ - NET_ADMIN
+ command:
+ - /tmp/octavia-health-manager.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/octavia-health-manager.sh
+ - stop
+ volumeMounts:
+ - name: pod-etc-octavia
+ mountPath: /etc/octavia
+ - name: octavia-bin
+ mountPath: /tmp/octavia-health-manager.sh
+ subPath: octavia-health-manager.sh
+ readOnly: true
+ - name: octavia-etc
+ mountPath: /etc/octavia/octavia.conf
+ subPath: octavia.conf
+ readOnly: true
+ {{- if .Values.conf.octavia.DEFAULT.log_config_append }}
+ - name: octavia-etc
+ mountPath: {{ .Values.conf.octavia.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.octavia.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+{{ if $mounts_octavia_health_manager.volumeMounts }}{{ toYaml $mounts_octavia_health_manager.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-etc-octavia
+ emptyDir: {}
+ - name: octavia-bin
+ configMap:
+ name: octavia-bin
+ defaultMode: 0555
+ - name: octavia-etc
+ secret:
+ secretName: {{ $configMapName }}
+ defaultMode: 0444
+ - name: pod-shared
+ emptyDir: {}
+ - name: run
+ hostPath:
+ path: /run
+{{ if $mounts_octavia_health_manager.volumes }}{{ toYaml $mounts_octavia_health_manager.volumes | indent 8 }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset_health_manager }}
+{{- $envAll := . }}
+{{- $daemonset := "health_manager" }}
+{{- $configMapName := "octavia-etc" }}
+{{- $serviceAccountName := "octavia-health-manager" }}
+
+{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "health_manager" -}}
+{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
+
+{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "octavia.health_manager.daemonset" | toString | fromYaml }}
+{{- $configmap_yaml := "octavia.configmap.etc" }}
+{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
+{{- end }}
diff --git a/charts/octavia/templates/deployment-api.yaml b/charts/octavia/templates/deployment-api.yaml
new file mode 100644
index 0000000..76f0d23
--- /dev/null
+++ b/charts/octavia/templates/deployment-api.yaml
@@ -0,0 +1,107 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_octavia_api := .Values.pod.mounts.octavia_api.octavia_api }}
+{{- $mounts_octavia_api_init := .Values.pod.mounts.octavia_api.init_container }}
+
+{{- $serviceAccountName := "octavia-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: octavia-api
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "octavia" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.api }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "octavia" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "octavia" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "octavia" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "api" $mounts_octavia_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: octavia-api
+{{ tuple $envAll "octavia_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ securityContext:
+ runAsUser: {{ .Values.pod.user.octavia.uid }}
+ command:
+ - /tmp/octavia-api.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/octavia-api.sh
+ - stop
+ ports:
+ - name: o-api
+ containerPort: {{ tuple "load_balancer" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ tuple "load_balancer" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ volumeMounts:
+ - name: pod-etc-octavia
+ mountPath: /etc/octavia
+ - name: octavia-bin
+ mountPath: /tmp/octavia-api.sh
+ subPath: octavia-api.sh
+ readOnly: true
+ - name: octavia-etc
+ mountPath: /etc/octavia/octavia.conf
+ subPath: octavia.conf
+ readOnly: true
+ {{- if .Values.conf.octavia.DEFAULT.log_config_append }}
+ - name: octavia-etc
+ mountPath: {{ .Values.conf.octavia.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.octavia.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+{{ if $mounts_octavia_api.volumeMounts }}{{ toYaml $mounts_octavia_api.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-etc-octavia
+ emptyDir: {}
+ - name: octavia-bin
+ configMap:
+ name: octavia-bin
+ defaultMode: 0555
+ - name: octavia-etc
+ secret:
+ secretName: octavia-etc
+ defaultMode: 0444
+{{ if $mounts_octavia_api.volumes }}{{ toYaml $mounts_octavia_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/octavia/templates/deployment-housekeeping.yaml b/charts/octavia/templates/deployment-housekeeping.yaml
new file mode 100644
index 0000000..39903b6
--- /dev/null
+++ b/charts/octavia/templates/deployment-housekeeping.yaml
@@ -0,0 +1,102 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_housekeeping }}
+{{- $envAll := . }}
+
+{{- $mounts_octavia_housekeeping := .Values.pod.mounts.octavia_housekeeping.octavia_housekeeping }}
+{{- $mounts_octavia_housekeeping_init := .Values.pod.mounts.octavia_housekeeping.init_container }}
+
+{{- $serviceAccountName := "octavia-housekeeping" }}
+{{ tuple $envAll "housekeeping" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: octavia-housekeeping
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "octavia" "housekeeping" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.housekeeping }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "octavia" "housekeeping" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "octavia" "housekeeping" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ dnsPolicy: ClusterFirstWithHostNet
+ hostNetwork: true
+ affinity:
+{{ tuple $envAll "octavia" "housekeeping" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.housekeeping.node_selector_key }}: {{ .Values.labels.housekeeping.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "housekeeping" $mounts_octavia_housekeeping_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: octavia-housekeeping
+{{ tuple $envAll "octavia_housekeeping" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.housekeeping | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ securityContext:
+ runAsUser: {{ .Values.pod.user.octavia.uid }}
+ command:
+ - /tmp/octavia-housekeeping.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/octavia-housekeeping.sh
+ - stop
+ volumeMounts:
+ - name: pod-etc-octavia
+ mountPath: /etc/octavia
+ - name: octavia-bin
+ mountPath: /tmp/octavia-housekeeping.sh
+ subPath: octavia-housekeeping.sh
+ readOnly: true
+ - name: octavia-etc
+ mountPath: /etc/octavia/octavia.conf
+ subPath: octavia.conf
+ readOnly: true
+ {{- if .Values.conf.octavia.DEFAULT.log_config_append }}
+ - name: octavia-etc
+ mountPath: {{ .Values.conf.octavia.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.octavia.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+{{ if $mounts_octavia_housekeeping.volumeMounts }}{{ toYaml $mounts_octavia_housekeeping.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-etc-octavia
+ emptyDir: {}
+ - name: octavia-bin
+ configMap:
+ name: octavia-bin
+ defaultMode: 0555
+ - name: octavia-etc
+ secret:
+ secretName: octavia-etc
+ defaultMode: 0444
+{{ if $mounts_octavia_housekeeping.volumes }}{{ toYaml $mounts_octavia_housekeeping.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/octavia/templates/deployment-worker.yaml b/charts/octavia/templates/deployment-worker.yaml
new file mode 100644
index 0000000..54cf68d
--- /dev/null
+++ b/charts/octavia/templates/deployment-worker.yaml
@@ -0,0 +1,102 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_worker }}
+{{- $envAll := . }}
+
+{{- $mounts_octavia_worker := .Values.pod.mounts.octavia_worker.octavia_worker }}
+{{- $mounts_octavia_worker_init := .Values.pod.mounts.octavia_worker.init_container }}
+
+{{- $serviceAccountName := "octavia-worker" }}
+{{ tuple $envAll "worker" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: octavia-worker
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "octavia" "worker" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.worker }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "octavia" "worker" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "octavia" "worker" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ dnsPolicy: ClusterFirstWithHostNet
+ hostNetwork: true
+ affinity:
+{{ tuple $envAll "octavia" "worker" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.worker.node_selector_key }}: {{ .Values.labels.worker.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "worker" $mounts_octavia_worker_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: octavia-worker
+{{ tuple $envAll "octavia_worker" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.worker | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ securityContext:
+ runAsUser: {{ .Values.pod.user.octavia.uid }}
+ command:
+ - /tmp/octavia-worker.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/octavia-worker.sh
+ - stop
+ volumeMounts:
+ - name: pod-etc-octavia
+ mountPath: /etc/octavia
+ - name: octavia-bin
+ mountPath: /tmp/octavia-worker.sh
+ subPath: octavia-worker.sh
+ readOnly: true
+ - name: octavia-etc
+ mountPath: /etc/octavia/octavia.conf
+ subPath: octavia.conf
+ readOnly: true
+ {{- if .Values.conf.octavia.DEFAULT.log_config_append }}
+ - name: octavia-etc
+ mountPath: {{ .Values.conf.octavia.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.octavia.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+{{ if $mounts_octavia_worker.volumeMounts }}{{ toYaml $mounts_octavia_worker.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-etc-octavia
+ emptyDir: {}
+ - name: octavia-bin
+ configMap:
+ name: octavia-bin
+ defaultMode: 0555
+ - name: octavia-etc
+ secret:
+ secretName: octavia-etc
+ defaultMode: 0444
+{{ if $mounts_octavia_worker.volumes }}{{ toYaml $mounts_octavia_worker.volumes | indent 8 }}{{ end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/octavia/templates/ingress-api.yaml b/charts/octavia/templates/ingress-api.yaml
new file mode 100644
index 0000000..c644e67
--- /dev/null
+++ b/charts/octavia/templates/ingress-api.yaml
@@ -0,0 +1,21 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "load_balancer" "backendPort" "o-api" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
+
diff --git a/charts/octavia/templates/job-bootstrap.yaml b/charts/octavia/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..3117ba4
--- /dev/null
+++ b/charts/octavia/templates/job-bootstrap.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.bootstrap" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "5"
+{{- end }}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "octavia" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.octavia.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-db-drop.yaml b/charts/octavia/templates/job-db-drop.yaml
new file mode 100644
index 0000000..1975d7d
--- /dev/null
+++ b/charts/octavia/templates/job-db-drop.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "octavia" -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-db-init.yaml b/charts/octavia/templates/job-db-init.yaml
new file mode 100644
index 0000000..b1ca9f6
--- /dev/null
+++ b/charts/octavia/templates/job-db-init.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "octavia" "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-db-sync.yaml b/charts/octavia/templates/job-db-sync.yaml
new file mode 100644
index 0000000..0c7cdb3
--- /dev/null
+++ b/charts/octavia/templates/job-db-sync.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "octavia" "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-image-repo-sync.yaml b/charts/octavia/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..25c19e4
--- /dev/null
+++ b/charts/octavia/templates/job-image-repo-sync.yaml
@@ -0,0 +1,24 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "octavia" "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-ks-endpoint.yaml b/charts/octavia/templates/job-ks-endpoint.yaml
new file mode 100644
index 0000000..3f7eff6
--- /dev/null
+++ b/charts/octavia/templates/job-ks-endpoint.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "octavia" "serviceTypes" ( tuple "load-balancer" ) "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-ks-service.yaml b/charts/octavia/templates/job-ks-service.yaml
new file mode 100644
index 0000000..d29ee24
--- /dev/null
+++ b/charts/octavia/templates/job-ks-service.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "octavia" "serviceTypes" ( tuple "load-balancer" ) "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-ks-user.yaml b/charts/octavia/templates/job-ks-user.yaml
new file mode 100644
index 0000000..38e91da
--- /dev/null
+++ b/charts/octavia/templates/job-ks-user.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "octavia" "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/octavia/templates/job-rabbit-init.yaml b/charts/octavia/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..50f7d36
--- /dev/null
+++ b/charts/octavia/templates/job-rabbit-init.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "octavia" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/octavia/templates/network_policy.yaml b/charts/octavia/templates/network_policy.yaml
new file mode 100644
index 0000000..f5706ee
--- /dev/null
+++ b/charts/octavia/templates/network_policy.yaml
@@ -0,0 +1,18 @@
+# Copyright 2019 Samsung Electronics Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "octavia" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/octavia/templates/pdb-api.yaml b/charts/octavia/templates/pdb-api.yaml
new file mode 100644
index 0000000..0eb227f
--- /dev/null
+++ b/charts/octavia/templates/pdb-api.yaml
@@ -0,0 +1,29 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: octavia-api
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "octavia" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/octavia/templates/secret-db.yaml b/charts/octavia/templates/secret-db.yaml
new file mode 100644
index 0000000..b2c3199
--- /dev/null
+++ b/charts/octavia/templates/secret-db.yaml
@@ -0,0 +1,30 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "octavia" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/templates/secret-ingress-tls.yaml b/charts/octavia/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..8d154ff
--- /dev/null
+++ b/charts/octavia/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "load_balancer" ) }}
+{{- end }}
diff --git a/charts/octavia/templates/secret-keystone.yaml b/charts/octavia/templates/secret-keystone.yaml
new file mode 100644
index 0000000..f2883e0
--- /dev/null
+++ b/charts/octavia/templates/secret-keystone.yaml
@@ -0,0 +1,30 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "octavia" "test" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/templates/secret-rabbitmq.yaml b/charts/octavia/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..4ebd44d
--- /dev/null
+++ b/charts/octavia/templates/secret-rabbitmq.yaml
@@ -0,0 +1,30 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "octavia" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/octavia/templates/service-api.yaml b/charts/octavia/templates/service-api.yaml
new file mode 100644
index 0000000..3e298e6
--- /dev/null
+++ b/charts/octavia/templates/service-api.yaml
@@ -0,0 +1,36 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "load_balancer" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: o-api
+ port: {{ tuple "load_balancer" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.api.node_port.enabled }}
+ nodePort: {{ .Values.network.api.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "octavia" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.api.node_port.enabled }}
+ type: NodePort
+ {{ end }}
+{{- end }}
diff --git a/charts/octavia/templates/service-ingress-api.yaml b/charts/octavia/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..a7a2592
--- /dev/null
+++ b/charts/octavia/templates/service-ingress-api.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2019 Samsung Electronics Co., Ltd.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "load_balancer" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/octavia/values.yaml b/charts/octavia/values.yaml
new file mode 100644
index 0000000..8ba4e7b
--- /dev/null
+++ b/charts/octavia/values.yaml
@@ -0,0 +1,686 @@
+# Copyright 2019 Samsung Electronics Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for octavia.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+labels:
+ api:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ worker:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ housekeeping:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ health_manager:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ job:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+images:
+ tags:
+ test: docker.io/xrally/xrally-openstack:2.0.0
+ bootstrap: docker.io/openstackhelm/heat:ocata
+ db_init: docker.io/openstackhelm/heat:ocata
+ octavia_db_sync: docker.io/loci/octavia:master-ubuntu
+ db_drop: docker.io/openstackhelm/heat:ocata
+ rabbit_init: docker.io/rabbitmq:3.7-management
+ ks_user: docker.io/openstackhelm/heat:ocata
+ ks_service: docker.io/openstackhelm/heat:ocata
+ ks_endpoints: docker.io/openstackhelm/heat:ocata
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ image_repo_sync: docker.io/docker:17.07.0
+ octavia_api: docker.io/loci/octavia:master-ubuntu
+ octavia_worker: docker.io/loci/octavia:master-ubuntu
+ octavia_housekeeping: docker.io/loci/octavia:master-ubuntu
+ octavia_health_manager: docker.io/loci/octavia:master-ubuntu
+ octavia_health_manager_init: docker.io/kolla/ubuntu-source-octavia-health-manager:rocky
+ openvswitch_vswitchd: docker.io/kolla/centos-source-openvswitch-vswitchd:rocky
+ pull_policy: "IfNotPresent"
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+bootstrap:
+ enabled: true
+ ks_user: admin
+ script: |
+ openstack role create --or-show load-balancer_admin
+ openstack role create --or-show load-balancer_observer
+ openstack role create --or-show load-balancer_global_observer
+ openstack role create --or-show load-balancer_quota_admin
+ openstack role create --or-show load-balancer_member
+
+network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ external_policy_local: false
+ node_port:
+ enabled: false
+ port: 30826
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - heat-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ api:
+ jobs:
+ - octavia-db-sync
+ - octavia-ks-user
+ - octavia-ks-endpoints
+ - octavia-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: network
+ worker:
+ jobs:
+ - octavia-db-sync
+ - octavia-ks-user
+ - octavia-ks-endpoints
+ - octavia-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: network
+ - endpoint: internal
+ service: load_balancer
+ housekeeping:
+ jobs:
+ - octavia-db-sync
+ - octavia-ks-user
+ - octavia-ks-endpoints
+ - octavia-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: network
+ - endpoint: internal
+ service: load_balancer
+ health_manager:
+ jobs:
+ - octavia-db-sync
+ - octavia-ks-user
+ - octavia-ks-endpoints
+ - octavia-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: network
+ - endpoint: internal
+ service: load_balancer
+ db_init:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_sync:
+ jobs:
+ - octavia-db-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ ks_endpoints:
+ jobs:
+ - octavia-ks-service
+ services:
+ - endpoint: internal
+ service: identity
+ ks_service:
+ services:
+ - endpoint: internal
+ service: identity
+ ks_user:
+ services:
+ - endpoint: internal
+ service: identity
+ rabbit_init:
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+
+conf:
+ octavia:
+ DEFAULT:
+ log_config_append: /etc/octavia/logging.conf
+ api_settings:
+ api_handler: queue_producer
+ bind_host: 0.0.0.0
+ database:
+ max_retries: -1
+ health_manager:
+ bind_port: 5555
+ bind_ip: 0.0.0.0
+ controller_ip_port_list: 0.0.0.0:5555
+ heartbeat_key: insecure
+ keystone_authtoken:
+ auth_type: password
+ auth_version: v3
+ memcache_security_strategy: ENCRYPT
+ certificates:
+ ca_private_key_passphrase: foobar
+ ca_private_key: /etc/octavia/certs/private/cakey.pem
+ ca_certificate: /etc/octavia/certs/ca_01.pem
+ haproxy_amphora:
+ server_ca: /etc/octavia/certs/ca_01.pem
+ client_cert: /etc/octavia/certs/client.pem
+ base_path: /var/lib/octavia
+ base_cert_dir: /var/lib/octavia/certs
+ connection_max_retries: 1500
+ connection_retry_interval: 1
+ rest_request_conn_timeout: 10
+ rest_request_read_timeout: 120
+ controller_worker:
+ amp_image_owner_id: null
+ amp_secgroup_list: null
+ amp_flavor_id: null
+ amp_boot_network_list: null
+ amp_ssh_key_name: octavia_ssh_key
+ amp_image_tag: amphora
+ network_driver: allowed_address_pairs_driver
+ compute_driver: compute_nova_driver
+ amphora_driver: amphora_haproxy_rest_driver
+ workers: 2
+ amp_active_retries: 100
+ amp_active_wait_sec: 2
+ loadbalancer_topology: SINGLE
+ oslo_messaging:
+ topic: octavia_prov
+ rpc_thread_pool_size: 2
+ oslo_messaging_notifications:
+ driver: messagingv2
+ house_keeping:
+ load_balancer_expiry_age: 3600
+ amphora_expiry_age: 3600
+ service_auth:
+ auth_type: password
+ cafile: ""
+ auth_version: v3
+ memcache_security_strategy: ENCRYPT
+ logging:
+ loggers:
+ keys:
+ - root
+ - octavia
+ handlers:
+ keys:
+ - stdout
+ - stderr
+ - "null"
+ formatters:
+ keys:
+ - context
+ - default
+ logger_root:
+ level: WARNING
+ handlers: 'null'
+ logger_octavia:
+ level: WARNING
+ handlers:
+ - stdout
+ qualname: octavia
+ logger_amqp:
+ level: WARNING
+ handlers: stderr
+ qualname: amqp
+ logger_amqplib:
+ level: WARNING
+ handlers: stderr
+ qualname: amqplib
+ logger_eventletwsgi:
+ level: WARNING
+ handlers: stderr
+ qualname: eventlet.wsgi.server
+ logger_sqlalchemy:
+ level: WARNING
+ handlers: stderr
+ qualname: sqlalchemy
+ logger_boto:
+ level: WARNING
+ handlers: stderr
+ qualname: boto
+ handler_null:
+ class: logging.NullHandler
+ formatter: default
+ args: ()
+ handler_stdout:
+ class: StreamHandler
+ args: (sys.stdout,)
+ formatter: context
+ handler_stderr:
+ class: StreamHandler
+ args: (sys.stderr,)
+ formatter: context
+ formatter_context:
+ class: oslo_log.formatters.ContextFormatter
+ formatter_default:
+ format: "%(message)s"
+ rabbitmq:
+ # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
+ policies:
+ - vhost: "octavia"
+ name: "ha_ttl_octavia"
+ definition:
+ # mirror messges to other nodes in rmq cluster
+ ha-mode: "all"
+ ha-sync-mode: "automatic"
+ # 70s
+ message-ttl: 70000
+ priority: 0
+ apply-to: all
+ pattern: '(notifications)\.'
+
+secrets:
+ identity:
+ admin: octavia-keystone-admin
+ octavia: octavia-keystone-user
+ test: octavia-keystone-test
+ oslo_db:
+ admin: octavia-db-admin
+ octavia: octavia-db-user
+ oslo_messaging:
+ admin: octavia-rabbitmq-admin
+ octavia: octavia-rabbitmq-user
+ tls:
+ load_balancer:
+ api:
+ public: octavia-tls-public
+
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ identity:
+ name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ octavia:
+ role: admin
+ region_name: RegionOne
+ username: octavia
+ password: password
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ test:
+ role: admin
+ region_name: RegionOne
+ username: test
+ password: password
+ project_name: test
+ user_domain_name: service
+ project_domain_name: service
+ hosts:
+ default: keystone
+ internal: keystone-api
+ host_fqdn_override:
+ default: null
+ path:
+ default: /v3
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 80
+ internal: 5000
+ load_balancer:
+ name: octavia
+ hosts:
+ default: octavia-api
+ public: octavia
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme:
+ default: http
+ port:
+ api:
+ default: 9876
+ public: 80
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ octavia:
+ username: octavia
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /octavia
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ oslo_cache:
+ auth:
+ # NOTE(portdirect): this is used to define the value for keystone
+ # authtoken cache encryption key, if not set it will be populated
+ # automatically with a random value, but to take advantage of
+ # this feature all services should be set to use the same key,
+ # and memcache service.
+ memcache_secret_key: null
+ hosts:
+ default: memcached
+ host_fqdn_override:
+ default: null
+ port:
+ memcache:
+ default: 11211
+ oslo_messaging:
+ auth:
+ admin:
+ username: rabbitmq
+ password: password
+ octavia:
+ username: octavia
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /octavia
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ http:
+ default: 15672
+ network:
+ name: neutron
+ hosts:
+ default: neutron-server
+ public: neutron
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 9696
+ public: 80
+
+pod:
+ user:
+ octavia:
+ uid: 42424
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ mounts:
+ octavia_api:
+ init_container: null
+ octavia_api:
+ volumeMounts:
+ volumes:
+ octavia_worker:
+ init_container: null
+ octavia_worker:
+ volumeMounts:
+ volumes:
+ octavia_housekeeping:
+ init_container: null
+ octavia_housekeeping:
+ volumeMounts:
+ volumes:
+ octavia_health_manager:
+ init_container: null
+ octavia_health_manager:
+ volumeMounts:
+ volumes:
+ octavia_bootstrap:
+ init_container: null
+ octavia_bootstrap:
+ volumeMounts:
+ volumes:
+ replicas:
+ api: 1
+ worker: 1
+ housekeeping: 1
+ lifecycle:
+ upgrades:
+ deployments:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+ daemonsets:
+ pod_replacement_strategy: RollingUpdate
+ health_manager:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ disruption_budget:
+ api:
+ min_available: 0
+ termination_grace_period:
+ api:
+ timeout: 30
+ resources:
+ enabled: false
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ worker:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ housekeeping:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ health_manager:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ bootstrap:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ rabbit_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_drop:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_endpoints:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_service:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_user:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ tests:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+
+network_policy:
+ octavia:
+ ingress:
+ - {}
+
+manifests:
+ configmap_bin: true
+ configmap_etc: true
+ daemonset_health_manager: true
+ deployment_api: true
+ deployment_worker: true
+ deployment_housekeeping: true
+ ingress_api: true
+ job_bootstrap: true
+ job_db_init: true
+ job_db_sync: true
+ job_db_drop: false
+ job_image_repo_sync: true
+ job_rabbit_init: true
+ job_ks_endpoints: true
+ job_ks_service: true
+ job_ks_user: true
+ pdb_api: true
+ pod_rally_test: false
+ network_policy: false
+ secret_credential_keys: true
+ secret_db: true
+ secret_ingress_tls: true
+ secret_keystone: true
+ secret_rabbitmq: true
+ service_ingress_api: true
+ service_api: true
+...
diff --git a/charts/openvswitch/.helmignore b/charts/openvswitch/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/openvswitch/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/openvswitch/Chart.yaml b/charts/openvswitch/Chart.yaml
new file mode 100644
index 0000000..ae2d963
--- /dev/null
+++ b/charts/openvswitch/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm OpenVSwitch
+home: http://openvswitch.org
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: openvswitch
+sources:
+- https://github.com/openvswitch/ovs
+- https://opendev.org/openstack/openstack-helm
+version: 0.1.10
diff --git a/charts/openvswitch/charts/helm-toolkit/Chart.yaml b/charts/openvswitch/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..12e2dd2
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.50
diff --git a/charts/openvswitch/charts/helm-toolkit/requirements.lock b/charts/openvswitch/charts/helm-toolkit/requirements.lock
new file mode 100644
index 0000000..08fae29
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/requirements.lock
@@ -0,0 +1,3 @@
+dependencies: []
+digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
+generated: "2023-01-13T19:09:10.042747731Z"
diff --git a/charts/openvswitch/charts/helm-toolkit/requirements.yaml b/charts/openvswitch/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..4c476b2
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a authenticating a registry with a secret
+examples:
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..3739f95
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+ delete user \
+ name="guest" || true
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..687851e
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,571 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# verify_databases_backup_archives [scope]
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to verify the database backup archives. If this function
+# completes successfully (returns 0), the
+# framework will automatically starts remote backup upload.
+#
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log_verify_backup_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ # rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ # Calculation remote file SHA256 hash
+ REMOTE_FILE=$(mktemp -p /tmp)
+ openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+ rm -rf ${REMOTE_FILE}
+ return 1
+ fi
+
+ # Remote backup verification
+ SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+ SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+ log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+ log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+ log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+ if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+ log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+ else
+ log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+ return 1
+ fi
+ rm -rf ${REMOTE_FILE}
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+ local A_FILE="$1"
+ awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f ${fd} ]]; then
+ rm -f ${fd}
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ fi
+ done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ # Local backup verification process
+
+ # It is expected that this function will verify the database backup files
+ if verify_databases_backup_archives ${SCOPE}; then
+ log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+ else
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ fi
+ log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+ exit 1
+ fi
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ # Remote backup
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ get_backup_prefix $(cat $DB_BACKUP_FILES)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+ remove_old_remote_archives
+ done
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
\ No newline at end of file
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f8-
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+ - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/openvswitch/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_template.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openvswitch/charts/helm-toolkit/values.yaml b/charts/openvswitch/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/openvswitch/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/openvswitch/requirements.lock b/charts/openvswitch/requirements.lock
new file mode 100644
index 0000000..8aa7258
--- /dev/null
+++ b/charts/openvswitch/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../helm-toolkit
+ version: 0.2.50
+digest: sha256:7bb7761d375d7b44849ba551843e572bf8ee2208775d55d4b742e799d0e81799
+generated: "2023-01-13T19:09:14.335000104Z"
diff --git a/charts/openvswitch/requirements.yaml b/charts/openvswitch/requirements.yaml
new file mode 100644
index 0000000..84f0aff
--- /dev/null
+++ b/charts/openvswitch/requirements.yaml
@@ -0,0 +1,18 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies:
+ - name: helm-toolkit
+ repository: file://../helm-toolkit
+ version: ">= 0.1.0"
+...
diff --git a/charts/openvswitch/templates/bin/_openvswitch-db-server.sh.tpl b/charts/openvswitch/templates/bin/_openvswitch-db-server.sh.tpl
new file mode 100644
index 0000000..c3c4845
--- /dev/null
+++ b/charts/openvswitch/templates/bin/_openvswitch-db-server.sh.tpl
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+OVS_DB=/run/openvswitch/conf.db
+OVS_SCHEMA=/usr/share/openvswitch/vswitch.ovsschema
+OVS_PID=/run/openvswitch/ovsdb-server.pid
+OVS_SOCKET=/run/openvswitch/db.sock
+
+function start () {
+ mkdir -p "$(dirname ${OVS_DB})"
+ if [[ ! -e "${OVS_DB}" ]]; then
+ ovsdb-tool create "${OVS_DB}"
+ fi
+
+ if [[ "$(ovsdb-tool needs-conversion ${OVS_DB} ${OVS_SCHEMA})" == 'yes' ]]; then
+ ovsdb-tool convert ${OVS_DB} ${OVS_SCHEMA}
+ fi
+
+ umask 000
+ exec /usr/sbin/ovsdb-server ${OVS_DB} \
+ -vconsole:emer \
+ -vconsole:err \
+ -vconsole:info \
+ --pidfile=${OVS_PID} \
+ --remote=punix:${OVS_SOCKET} \
+ --remote=db:Open_vSwitch,Open_vSwitch,manager_options \
+{{- if .Values.conf.openvswitch_db_server.ptcp_port }}
+ --remote=ptcp:{{ .Values.conf.openvswitch_db_server.ptcp_port }} \
+{{- end }}
+ --private-key=db:Open_vSwitch,SSL,private_key \
+ --certificate=db:Open_vSwitch,SSL,certificate \
+ --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert
+}
+
+function stop () {
+ PID=$(cat $OVS_PID)
+ ovs-appctl -T1 -t /run/openvswitch/ovsdb-server.${PID}.ctl exit
+}
+
+$COMMAND
diff --git a/charts/openvswitch/templates/bin/_openvswitch-vswitchd-init-modules.sh.tpl b/charts/openvswitch/templates/bin/_openvswitch-vswitchd-init-modules.sh.tpl
new file mode 100644
index 0000000..6e4fdbb
--- /dev/null
+++ b/charts/openvswitch/templates/bin/_openvswitch-vswitchd-init-modules.sh.tpl
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+chroot /mnt/host-rootfs modprobe openvswitch
+chroot /mnt/host-rootfs modprobe gre
+chroot /mnt/host-rootfs modprobe vxlan
+
+{{- if .Values.conf.ovs_dpdk.enabled }}
+{{- if hasKey .Values.conf.ovs_dpdk "driver"}}
+chroot /mnt/host-rootfs modprobe {{ .Values.conf.ovs_dpdk.driver | quote }}
+{{- end }}
+{{- end }}
diff --git a/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl b/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
new file mode 100644
index 0000000..a1a29cc
--- /dev/null
+++ b/charts/openvswitch/templates/bin/_openvswitch-vswitchd.sh.tpl
@@ -0,0 +1,118 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+OVS_SOCKET=/run/openvswitch/db.sock
+OVS_PID=/run/openvswitch/ovs-vswitchd.pid
+
+# Create vhostuser directory and grant nova user (default UID 42424) access
+# permissions.
+{{- if .Values.conf.ovs_dpdk.enabled }}
+mkdir -p /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
+chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} /run/openvswitch/{{ .Values.conf.ovs_dpdk.vhostuser_socket_dir }}
+{{- end }}
+
+function start () {
+ t=0
+ while [ ! -e "${OVS_SOCKET}" ] ; do
+ echo "waiting for ovs socket $sock"
+ sleep 1
+ t=$(($t+1))
+ if [ $t -ge 10 ] ; then
+ echo "no ovs socket, giving up"
+ exit 1
+ fi
+ done
+
+ ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait show
+{{- if .Values.conf.ovs_hw_offload.enabled }}
+ ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:hw-offload={{ .Values.conf.ovs_hw_offload.enabled }}
+{{- end }}
+{{- if .Values.conf.ovs_other_config.handler_threads }}
+ ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:n-handler-threads={{ .Values.conf.ovs_other_config.handler_threads }}
+{{- end }}
+{{- if .Values.conf.ovs_other_config.revalidator_threads }}
+ ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:n-revalidator-threads={{ .Values.conf.ovs_other_config.revalidator_threads }}
+{{- end }}
+
+{{- if .Values.conf.ovs_dpdk.enabled }}
+ ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:dpdk-hugepage-dir={{ .Values.conf.ovs_dpdk.hugepages_mountpath | quote }}
+ ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:dpdk-socket-mem={{ .Values.conf.ovs_dpdk.socket_memory | quote }}
+
+{{- if .Values.conf.ovs_dpdk.mem_channels }}
+ ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:dpdk-mem-channels={{ .Values.conf.ovs_dpdk.mem_channels | quote }}
+{{- end }}
+
+{{- if hasKey .Values.conf.ovs_dpdk "pmd_cpu_mask" }}
+ ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:pmd-cpu-mask={{ .Values.conf.ovs_dpdk.pmd_cpu_mask | quote }}
+ PMD_CPU_MASK={{ .Values.conf.ovs_dpdk.pmd_cpu_mask | quote }}
+{{- end }}
+
+{{- if hasKey .Values.conf.ovs_dpdk "lcore_mask" }}
+ ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:dpdk-lcore-mask={{ .Values.conf.ovs_dpdk.lcore_mask | quote }}
+ LCORE_MASK={{ .Values.conf.ovs_dpdk.lcore_mask | quote }}
+{{- end }}
+
+{{- if hasKey .Values.conf.ovs_dpdk "vhost_iommu_support" }}
+ ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:vhost-iommu-support={{ .Values.conf.ovs_dpdk.vhost_iommu_support }}
+{{- end }}
+
+ ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:vhost-sock-dir={{ .Values.conf.ovs_dpdk.vhostuser_socket_dir | quote }}
+ ovs-vsctl --db=unix:${OVS_SOCKET} --no-wait set Open_vSwitch . other_config:dpdk-init=true
+
+ # No need to create the cgroup if lcore_mask or pmd_cpu_mask is not set.
+ if [[ -n ${PMD_CPU_MASK} || -n ${LCORE_MASK} ]]; then
+ # Setup Cgroups to use when breaking out of Kubernetes defined groups
+ mkdir -p /sys/fs/cgroup/cpuset/osh-openvswitch
+ target_mems="/sys/fs/cgroup/cpuset/osh-openvswitch/cpuset.mems"
+ target_cpus="/sys/fs/cgroup/cpuset/osh-openvswitch/cpuset.cpus"
+
+ # Ensure the write target for the for cpuset.mem for the pod exists
+ if [[ -f "$target_mems" && -f "$target_cpus" ]]; then
+ # Write cpuset.mem and cpuset.cpus for new cgroup and add current task to new cgroup
+ cat /sys/fs/cgroup/cpuset/cpuset.mems > "$target_mems"
+ cat /sys/fs/cgroup/cpuset/cpuset.cpus > "$target_cpus"
+ echo $$ > /sys/fs/cgroup/cpuset/osh-openvswitch/tasks
+ else
+ echo "ERROR: Could not find write target for either cpuset.mems: $target_mems or cpuset.cpus: $target_cpus"
+ fi
+ fi
+{{- end }}
+
+ exec /usr/sbin/ovs-vswitchd unix:${OVS_SOCKET} \
+ -vconsole:emer \
+ -vconsole:err \
+ -vconsole:info \
+ --pidfile=${OVS_PID} \
+ --mlockall
+}
+
+function stop () {
+ PID=$(cat $OVS_PID)
+ ovs-appctl -T1 -t /run/openvswitch/ovs-vswitchd.${PID}.ctl exit
+}
+
+function poststart () {
+ # This enables the usage of 'ovs-appctl' from neutron-ovs-agent pod.
+
+ PID=$(cat $OVS_PID)
+ OVS_CTL=/run/openvswitch/ovs-vswitchd.${PID}.ctl
+ chown {{ .Values.pod.user.nova.uid }}.{{ .Values.pod.user.nova.uid }} ${OVS_CTL}
+}
+
+$COMMAND
diff --git a/charts/openvswitch/templates/configmap-bin.yaml b/charts/openvswitch/templates/configmap-bin.yaml
new file mode 100644
index 0000000..f6e8dc5
--- /dev/null
+++ b/charts/openvswitch/templates/configmap-bin.yaml
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: openvswitch-bin
+data:
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+ openvswitch-db-server.sh: |
+{{ tuple "bin/_openvswitch-db-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ openvswitch-vswitchd.sh: |
+{{ tuple "bin/_openvswitch-vswitchd.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ openvswitch-vswitchd-init-modules.sh: |
+{{ tuple "bin/_openvswitch-vswitchd-init-modules.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/openvswitch/templates/daemonset.yaml b/charts/openvswitch/templates/daemonset.yaml
new file mode 100644
index 0000000..244ffb8
--- /dev/null
+++ b/charts/openvswitch/templates/daemonset.yaml
@@ -0,0 +1,260 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "ovsdblivenessProbeTemplate" }}
+exec:
+ command:
+ - /usr/bin/ovs-vsctl
+ - show
+{{- end }}
+
+{{- define "ovsdbreadinessProbeTemplate" }}
+exec:
+ command:
+ - /usr/bin/ovs-vsctl
+ - list
+ - Open_Vswitch
+{{- end }}
+
+{{- define "ovsvswitchlivenessProbeTemplate" }}
+exec:
+ command:
+{{- if .Values.pod.probes.ovs.ovs_vswitch.liveness.exec }}
+{{ .Values.pod.probes.ovs.ovs_vswitch.liveness.exec | toYaml | indent 4 }}
+{{- else }}
+ - /usr/bin/ovs-appctl
+ - bond/list
+{{- end }}
+{{- end }}
+
+{{- define "ovsvswitchreadinessProbeTemplate" }}
+exec:
+ command:
+{{- if .Values.pod.probes.ovs.ovs_vswitch.readiness.exec }}
+{{ .Values.pod.probes.ovs.ovs_vswitch.readiness.exec | toYaml | indent 4 }}
+{{- else if not .Values.conf.ovs_dpdk.enabled }}
+ - /bin/bash
+ - -c
+ - '/usr/bin/ovs-vsctl show'
+{{- else }}
+ - /bin/bash
+ - -c
+ - '/usr/bin/ovs-vsctl show && ! /usr/bin/ovs-vsctl list Open_vSwitch | grep -q dpdk_initialized.*false'
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.daemonset }}
+{{- $envAll := . }}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: openvswitch
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll "ovs" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "openvswitch" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "openvswitch" "containerNames" (list "openvswitch-db" "openvswitch-db-perms" "openvswitch-vswitchd" "openvswitch-vswitchd-modules" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ shareProcessNamespace: true
+{{ dict "envAll" $envAll "application" "ovs" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ nodeSelector:
+ {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.openvswitch.enabled }}
+{{ tuple $envAll "openvswitch" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ dnsPolicy: {{ .Values.pod.dns_policy }}
+ hostNetwork: true
+ initContainers:
+{{ tuple $envAll "ovs" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: openvswitch-db-perms
+{{ tuple $envAll "openvswitch_db_server" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - chown
+ - -R
+ - {{ $envAll.Values.pod.security_context.ovs.container.server.runAsUser | quote }}
+ - /run/openvswitch
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: run-openvswitch
+ mountPath: /run/openvswitch
+ - name: openvswitch-vswitchd-modules
+{{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/openvswitch-vswitchd-init-modules.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: openvswitch-bin
+ mountPath: /tmp/openvswitch-vswitchd-init-modules.sh
+ subPath: openvswitch-vswitchd-init-modules.sh
+ readOnly: true
+ - name: host-rootfs
+ mountPath: /mnt/host-rootfs
+ mountPropagation: HostToContainer
+ readOnly: true
+ containers:
+ - name: openvswitch-db
+{{ tuple $envAll "openvswitch_db_server" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ovs.db | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_db" "type" "liveness" "probeTemplate" (include "ovsdblivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_db" "type" "readiness" "probeTemplate" (include "ovsdbreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ command:
+ - /tmp/openvswitch-db-server.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/openvswitch-db-server.sh
+ - stop
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: openvswitch-bin
+ mountPath: /tmp/openvswitch-db-server.sh
+ subPath: openvswitch-db-server.sh
+ readOnly: true
+ - name: run
+ mountPath: /run
+ - name: openvswitch-vswitchd
+{{- if .Values.conf.ovs_dpdk.enabled }}
+{{/* Run the container in priviledged mode due to the need for root
+permissions when using the uio_pci_generic driver. */}}
+{{- $_ := set $envAll.Values.pod.security_context.ovs.container.vswitchd "privileged" true -}}
+{{/* Limiting CPU cores would severely affect packet throughput
+It should be handled through lcore and pmd core masks. */}}
+{{- if .Values.pod.resources.enabled }}
+{{ $_ := unset $envAll.Values.pod.resources.ovs.vswitchd.requests "cpu" }}
+{{ $_ := unset $envAll.Values.pod.resources.ovs.vswitchd.limits "cpu" }}
+{{- end }}
+{{- end }}
+{{ tuple $envAll "openvswitch_vswitchd" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovs" "container" "vswitchd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ovs.vswitchd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ # ensures this container can speak to the ovs database
+ # successfully before its marked as ready
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_vswitch" "type" "liveness" "probeTemplate" (include "ovsvswitchlivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" $envAll "component" "ovs" "container" "ovs_vswitch" "type" "readiness" "probeTemplate" (include "ovsvswitchreadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ command:
+ - /tmp/openvswitch-vswitchd.sh
+ - start
+ lifecycle:
+ postStart:
+ exec:
+ command:
+ - /tmp/openvswitch-vswitchd.sh
+ - poststart
+ preStop:
+ exec:
+ command:
+ - /tmp/openvswitch-vswitchd.sh
+ - stop
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: openvswitch-bin
+ mountPath: /tmp/openvswitch-vswitchd.sh
+ subPath: openvswitch-vswitchd.sh
+ readOnly: true
+ - name: run
+ mountPath: /run
+{{- if .Values.conf.ovs_dpdk.enabled }}
+ - name: hugepages
+ mountPath: {{ .Values.conf.ovs_dpdk.hugepages_mountpath | quote }}
+ - name: pci-devices
+ mountPath: /sys/bus/pci/devices
+ - name: huge-pages-kernel
+ mountPath: /sys/kernel/mm/hugepages
+ - name: node-devices
+ mountPath: /sys/devices/system/node
+ - name: modules
+ mountPath: /lib/modules
+ - name: devs
+ mountPath: /dev
+ - name: pci-drivers
+ mountPath: /sys/bus/pci/drivers
+ - name: cgroup
+ mountPath: /sys/fs/cgroup
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: openvswitch-bin
+ configMap:
+ name: openvswitch-bin
+ defaultMode: 0555
+ - name: run
+ hostPath:
+ path: /run
+ type: Directory
+ - name: run-openvswitch
+ hostPath:
+ path: /run/openvswitch
+ type: DirectoryOrCreate
+ - name: host-rootfs
+ hostPath:
+ path: /
+ type: Directory
+{{- if .Values.conf.ovs_dpdk.enabled }}
+ - name: devs
+ hostPath:
+ path: /dev
+ type: Directory
+ - name: pci-devices
+ hostPath:
+ path: /sys/bus/pci/devices
+ type: Directory
+ - name: huge-pages-kernel
+ hostPath:
+ path: /sys/kernel/mm/hugepages
+ type: Directory
+ - name: node-devices
+ hostPath:
+ path: /sys/devices/system/node
+ type: Directory
+ - name: modules
+ hostPath:
+ path: /lib/modules
+ type: Directory
+ - name: pci-drivers
+ hostPath:
+ path: /sys/bus/pci/drivers
+ type: Directory
+ - name: hugepages
+ hostPath:
+ path: {{ .Values.conf.ovs_dpdk.hugepages_mountpath | quote }}
+ type: Directory
+ - name: cgroup
+ hostPath:
+ path: /sys/fs/cgroup
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/openvswitch/templates/job-image-repo-sync.yaml b/charts/openvswitch/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..765061c
--- /dev/null
+++ b/charts/openvswitch/templates/job-image-repo-sync.yaml
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "openvswitch" -}}
+{{- if .Values.pod.tolerations.openvswitch.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/openvswitch/templates/network-policy.yaml b/charts/openvswitch/templates/network-policy.yaml
new file mode 100644
index 0000000..751e0e0
--- /dev/null
+++ b/charts/openvswitch/templates/network-policy.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "openvswitch" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/openvswitch/templates/secret-registry.yaml b/charts/openvswitch/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/openvswitch/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/openvswitch/values.yaml b/charts/openvswitch/values.yaml
new file mode 100644
index 0000000..b131faa
--- /dev/null
+++ b/charts/openvswitch/values.yaml
@@ -0,0 +1,235 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for openvswitch.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+images:
+ tags:
+ openvswitch_db_server: docker.io/openstackhelm/openvswitch:latest-ubuntu_bionic
+ openvswitch_vswitchd: docker.io/openstackhelm/openvswitch:latest-ubuntu_bionic
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ image_repo_sync: docker.io/library/docker:17.07.0
+ pull_policy: "IfNotPresent"
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+labels:
+ ovs:
+ node_selector_key: openvswitch
+ node_selector_value: enabled
+
+pod:
+ tolerations:
+ openvswitch:
+ enabled: false
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ effect: NoSchedule
+ probes:
+ ovs:
+ ovs_db:
+ liveness:
+ enabled: true
+ params:
+ initialDelaySeconds: 60
+ periodSeconds: 30
+ timeoutSeconds: 5
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 90
+ periodSeconds: 30
+ timeoutSeconds: 5
+ ovs_vswitch:
+ liveness:
+ enabled: true
+ params:
+ initialDelaySeconds: 60
+ periodSeconds: 30
+ timeoutSeconds: 5
+ readiness:
+ enabled: true
+ params:
+ failureThreshold: 3
+ periodSeconds: 10
+ timeoutSeconds: 1
+ security_context:
+ ovs:
+ pod:
+ runAsUser: 42424
+ container:
+ perms:
+ runAsUser: 0
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ server:
+ runAsUser: 42424
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ modules:
+ runAsUser: 0
+ capabilities:
+ add:
+ - SYS_MODULE
+ - SYS_CHROOT
+ readOnlyRootFilesystem: true
+ vswitchd:
+ runAsUser: 0
+ capabilities:
+ add:
+ - NET_ADMIN
+ readOnlyRootFilesystem: true
+ dns_policy: "ClusterFirstWithHostNet"
+ lifecycle:
+ upgrades:
+ daemonsets:
+ pod_replacement_strategy: RollingUpdate
+ ovs:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ resources:
+ enabled: false
+ ovs:
+ db:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ vswitchd:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ # set resources to enabled and specify one of the following when using dpdk
+ # hugepages-1Gi: "1Gi"
+ # hugepages-2Mi: "512Mi"
+ jobs:
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ user:
+ nova:
+ uid: 42424
+
+secrets:
+ oci_image_registry:
+ openvswitch: openvswitch-oci-image-registry-key
+
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ oci_image_registry:
+ name: oci-image-registry
+ namespace: oci-image-registry
+ auth:
+ enabled: false
+ openvswitch:
+ username: openvswitch
+ password: password
+ hosts:
+ default: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ default: null
+
+network_policy:
+ openvswitch:
+ ingress:
+ - {}
+ egress:
+ - {}
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - openvswitch-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ ovs: null
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+
+manifests:
+ configmap_bin: true
+ daemonset: true
+ daemonset_ovs_vswitchd: true
+ job_image_repo_sync: true
+ network_policy: false
+ secret_registry: true
+
+conf:
+ openvswitch_db_server:
+ ptcp_port: null
+ ovs_other_config:
+ handler_threads: null
+ revalidator_threads: null
+ ovs_hw_offload:
+ enabled: false
+ ovs_dpdk:
+ enabled: false
+ ## Mandatory parameters. Please uncomment when enabling DPDK
+ # socket_memory: 1024
+ # hugepages_mountpath: /dev/hugepages
+ # vhostuser_socket_dir: vhostuser
+ #
+ ## Optional hardware specific parameters: modify to match NUMA topology
+ # mem_channels: 4
+ # lcore_mask: 0x1
+ # pmd_cpu_mask: 0x4
+ #
+ ## Optional driver to use. Driver name should be the same as the one
+ ## specified in the ovs_dpdk section in the Neutron values and vice versa
+ # driver: vfio-pci
+ #
+ ## Optional security feature
+ # vHost IOMMU feature restricts the vhost memory that a virtio device
+ # access, available with DPDK v17.11
+ # vhost_iommu_support: true
+...
diff --git a/charts/placement/Chart.yaml b/charts/placement/Chart.yaml
new file mode 100644
index 0000000..23f8ccf
--- /dev/null
+++ b/charts/placement/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Placement
+home: https://docs.openstack.org/placement/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Placement/OpenStack_Project_Placement_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: placement
+sources:
+- https://opendev.org/openstack/placement
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.10
diff --git a/charts/placement/charts/helm-toolkit/Chart.yaml b/charts/placement/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..4f9e6e5
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.46
diff --git a/charts/placement/charts/helm-toolkit/requirements.yaml b/charts/placement/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/placement/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..70e64cc
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,729 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network.kibana.ingress -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a authenticating a registry with a secret
+examples:
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/placement/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..516d79e
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,514 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+ local A_FILE="$1"
+ awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f fd ]]; then
+ rm -f fd
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ fi
+ done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ get_backup_prefix $(cat $DB_BACKUP_FILES)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+ remove_old_remote_archives
+ done
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f8-
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+ - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/placement/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/placement/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_template.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/placement/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/placement/charts/helm-toolkit/values.yaml b/charts/placement/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/placement/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/placement/requirements.lock b/charts/placement/requirements.lock
new file mode 100644
index 0000000..dd3e146
--- /dev/null
+++ b/charts/placement/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: 0.2.46
+digest: sha256:4baae4035ac4ec09ff414ac48d8f1e3f030d1ce1629727cb1ff24d44ffa000f1
+generated: "2022-08-16T23:07:28.301383965Z"
diff --git a/charts/placement/requirements.yaml b/charts/placement/requirements.yaml
new file mode 100644
index 0000000..639dab0
--- /dev/null
+++ b/charts/placement/requirements.yaml
@@ -0,0 +1,18 @@
+# Copyright 2019 Intel Corporation.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: ">= 0.1.0"
diff --git a/charts/placement/templates/bin/_db-migrate.sh.tpl b/charts/placement/templates/bin/_db-migrate.sh.tpl
new file mode 100644
index 0000000..838e05f
--- /dev/null
+++ b/charts/placement/templates/bin/_db-migrate.sh.tpl
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+# To make this migration idempotent and not break the chart deployment,
+# we will treat a new deployment ($?==4) and migration completed ($?==3)
+# as success so things can proceed.
+function handler {
+ rv=$?
+ if [ $rv -eq 4 ] || [ $rv -eq 3 ]; then
+ exit 0
+ else
+ exit $rv
+ fi
+}
+
+trap handler EXIT
+
+/tmp/mysql-migrate-db.sh --mkconfig /tmp/migrate-db.rc
+
+sed -i \
+ -e "s/NOVA_API_USER=.*/NOVA_API_USER=\"${NOVA_API_USER}\"/g" \
+ -e "s/NOVA_API_PASS=.*/NOVA_API_PASS=\"${NOVA_API_PASS}\"/g" \
+ -e "s/NOVA_API_DB_HOST=.*/NOVA_API_DB_HOST=\"${NOVA_API_DB_HOST}\"/g" \
+ -e "s/PLACEMENT_USER=.*/PLACEMENT_USER=\"${PLACEMENT_USER}\"/g" \
+ -e "s/PLACEMENT_PASS=.*/PLACEMENT_PASS=\"${PLACEMENT_PASS}\"/g" \
+ -e "s/PLACEMENT_DB_HOST=.*/PLACEMENT_DB_HOST=\"${PLACEMENT_DB_HOST}\"/g" \
+ /tmp/migrate-db.rc
+
+/tmp/mysql-migrate-db.sh --migrate /tmp/migrate-db.rc
diff --git a/charts/placement/templates/bin/_db-sync.sh.tpl b/charts/placement/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..48857b8
--- /dev/null
+++ b/charts/placement/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+placement-manage db sync
diff --git a/charts/placement/templates/bin/_mysql-migrate-db.sh.tpl b/charts/placement/templates/bin/_mysql-migrate-db.sh.tpl
new file mode 100644
index 0000000..a87ebaf
--- /dev/null
+++ b/charts/placement/templates/bin/_mysql-migrate-db.sh.tpl
@@ -0,0 +1,328 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This script will attempt to migrate your nova-api placement data to
+# a new placement database. Run it with --help for usage, and --mkconfig
+# to write a template config file to use.
+
+# Defaults we can guess
+DEFAULT_MIGRATE_TABLES="allocations placement_aggregates consumers inventories projects "
+DEFAULT_MIGRATE_TABLES+="resource_classes resource_provider_aggregates resource_provider_traits "
+DEFAULT_MIGRATE_TABLES+="resource_providers traits users "
+MIGRATE_TABLES=${MIGRATE_TABLES:-$DEFAULT_MIGRATE_TABLES}
+PLACEMENT_DB_HOST=${PLACEMENT_DB_HOST:-localhost}
+PLACEMENT_DB=${PLACEMENT_DB:-placement}
+NOVA_API_DB_HOST=${NOVA_API_DB_HOST:-localhost}
+NOVA_API_DB=${NOVA_API_DB:-nova_api}
+TMPDIR=${TMPDIR:-/tmp}
+LAST_MYSQL_ERR=${TMPDIR}/migrate-mysql-db.err
+INITIAL_PLACEMENT_DB_VERSION=${INITIAL_DB_VERSION:-b4ed3a175331}
+ME=$(basename "$0")
+
+declare -a ARGS
+declare -a OPTS
+
+function getflag() {
+ # Return true if --$flag is present on the command line
+ # Usage: getflag help -> 0
+ local flag="$1"
+ for opt in ${OPTS[*]}; do
+ if [ "$opt" == "--${flag}" ]; then
+ return 0
+ fi
+ done
+ return 1
+}
+
+function parse_argv() {
+ # Parse command line arguments into positional arguments and
+ # option flags. Store each in $ARGS, $OPTS.
+ # Usage: parse_argv $*
+ for item in $*; do
+ if echo $item | grep -q -- '^--'; then
+ OPTS+=($item)
+ else
+ ARGS+=($item)
+ fi
+ done
+}
+
+function db_var() {
+ # Return an attribute of database config based on the symbolic
+ # name
+ # Usage: db_var PLACEMENT USER -> $PLACEMENT_USER
+ local db="$1"
+ local var="$2"
+
+ eval echo "\$${db}_${var}"
+}
+
+function mysql_command() {
+ # Run a mysql command with the usual connection information taken
+ # from a symbolic configuration name
+ # Usage: mysql_command PLACEMENT [command] [args..] -> stdout
+ local whichdb="$1"
+ shift
+ local command=mysql
+ if [ "$2" ]; then
+ command=${1:-mysql}
+ shift
+ fi
+ local db=$(db_var $whichdb DB)
+ local host=$(db_var $whichdb DB_HOST)
+ local user=$(db_var $whichdb USER)
+ local pass=$(db_var $whichdb PASS)
+
+ if [ "$command" = "mysql" ]; then
+ command="mysql --skip-column-names"
+ fi
+
+ if [ ! -z "$MARIADB_X509" ]; then
+ local ca=/etc/mysql/certs/ca.crt
+ local cert=/etc/mysql/certs/tls.crt
+ local key=/etc/mysql/certs/tls.key
+ $command -h$host -u$user -p$pass $db --ssl-ca=$ca --ssl-cert=$cert --ssl-key=$key $* 2>$LAST_MYSQL_ERR
+ else
+ $command -h$host -u$user -p$pass $db $* 2>$LAST_MYSQL_ERR
+ fi
+}
+
+function show_error() {
+ # Prints the last error (if present) and removes the temporary
+ # file
+ if [ -f $LAST_MYSQL_ERR ]; then
+ cat $LAST_MYSQL_ERR
+ rm -f $LAST_MYSQL_ERR
+ fi
+}
+
+function check_db() {
+ # Check a DB to see if it's missing, present, filled with data
+ # Returns 0 if it is present with data, 1 if present but no data
+ # or 2 if not present (or unable to connect)
+ # Usage: check_db PLACEMENT -> 0
+ local whichdb="$1"
+
+ local inv
+ local inv_count
+
+ if ! echo "SELECT DATABASE()" | mysql_command $whichdb >/dev/null 2>&1; then
+ echo "Failed to connect to $whichdb database"
+ show_error
+ return 2
+ fi
+
+ inv=$(echo "SELECT COUNT(id) FROM inventories" |
+ mysql_command $whichdb)
+ if [ $? -ne 0 ]; then
+ # No schema
+ return 1
+ fi
+
+ inv_count=$(echo $inv | tail -n1)
+ if [ $inv_count -gt 0 ]; then
+ # Data found
+ return 0
+ else
+ # No data found, but schema intact
+ return 1
+ fi
+}
+
+function check_cli() {
+ # Returns 0 if placement cli is installed and configured,
+ # 1 if it is not installed, or 2 if the access to the
+ # placement database fails
+ # Usage: check_cli -> 0
+ placement-manage --version > /dev/null 2>&1
+
+ if [ $? -ne 0 ]; then
+ # placement not installed
+ return 1
+ fi
+
+ placement-manage db version > /dev/null 2>&1
+
+ if [ $? -ne 0 ]; then
+ # DB connection fails
+ return 2
+ fi
+}
+
+function migrate_data() {
+ # Actually migrate data from a source to destination symbolic
+ # database. Returns 1 if failure, 0 otherwise.
+ # Usage: migrate_data NOVA_API PLACEMENT -> 0
+ local source="$1"
+ local dest="$2"
+ local dump_flags="$3"
+ local tmpdir=$(mktemp -d migrate-db.XXXXXXXX)
+ local tmpfile="${tmpdir}/from-nova.sql"
+
+ echo "Dumping from $source to $tmpfile"
+ mysql_command $source mysqldump $dump_flags $MIGRATE_TABLES > $tmpfile || {
+ echo 'Failed to dump source database:'
+ show_error
+ return 1
+ }
+ echo "Loading to $dest from $tmpfile"
+ mysql_command $dest < $tmpfile || {
+ echo 'Failed to load destination database:'
+ show_error
+ return 1
+ }
+}
+
+function sanity_check_env() {
+ # Check that we have everything we need to examine the situation
+ # and potentially do the migration. Loads values from the rcfile,
+ # if present. Returns 1 if a config was not found, 2 if that
+ # config is incomplete or 0 if everything is good.
+ # Usage: sanity_check_env $rcfile -> 0
+
+ RCFILE="${1:-migrate-db.rc}"
+ if [ "$RCFILE" = '-' ]; then
+ # Don't require a file and assume everything is already
+ # set in the environment
+ true
+ elif [ ! -f "$RCFILE" ]; then
+ echo -n 'ERROR: Specify an RC file on the command line or create '
+ echo 'migrate-db.rc in the current directory'
+ echo
+ show_help
+ else
+ source $RCFILE
+ fi
+
+ required="NOVA_API_DB NOVA_API_USER NOVA_API_PASS PLACEMENT_DB PLACEMENT_USER PLACEMENT_PASS"
+ for var in $required; do
+ value=$(eval echo "\$$var")
+ if [ -z "$value" ]; then
+ echo "A value for $var was not provided but is required"
+ return 2
+ fi
+ done
+}
+
+function make_config() {
+ # Create or update a config file with defaults we know. Either use
+ # the default migrate-db.rc or the file specified on the command
+ # line.
+ RCFILE="${1:-migrate-db.rc}"
+ if [ -f "$RCFILE" ]; then
+ source $RCFILE
+ fi
+
+ vars="NOVA_API_DB NOVA_API_USER NOVA_API_PASS NOVA_API_DB_HOST "
+ vars+="PLACEMENT_DB PLACEMENT_USER PLACEMENT_PASS PLACEMENT_DB_HOST "
+ vars+="MIGRATE_TABLES"
+
+ (for var in $vars; do
+ val=$(eval echo "\$$var")
+ echo "${var}=\"$val\""
+ done) > $RCFILE
+
+ echo Wrote $(readlink -f $RCFILE)
+}
+
+function show_help() {
+ echo "Usage: $ME [flags] [rcfile]"
+ echo
+ echo "Flags:"
+ echo " --help: this text"
+ echo " --migrate: actually do data migration"
+ echo " --mkconfig: write/update config to \$rcfile"
+ echo " --skip-locks: don't use table locks for data migration"
+ echo
+ echo "Pass '-' as \$rcfile if all config values are set in"
+ echo "the environment."
+ echo
+ echo "Exit codes:"
+ echo " 0: Success"
+ echo " 1: Usage error"
+ echo " 2: Configuration missing or incomplete"
+ echo " 3: Migration already completed"
+ echo " 4: No data to migrate from nova (new deployment)"
+ echo " 5: Unable to connect to one or both databases"
+ echo " 6: Unable to execute placement's CLI commands"
+ exit 0
+}
+
+parse_argv $*
+
+if getflag help; then
+ show_help
+fi
+
+if getflag mkconfig; then
+ make_config $ARGS
+ exit 0
+fi
+
+#
+# Actual migration logic starts here
+#
+
+# Sanity check that we have what we need or bail
+sanity_check_env $ARGS || exit $?
+
+# Check the state of each database we care about
+check_db NOVA_API
+nova_present=$?
+check_db PLACEMENT
+placement_present=$?
+check_cli
+placement_cli=$?
+
+# Try to come up with a good reason to refuse to migrate
+if [ $nova_present -eq 0 -a $placement_present -eq 0 ]; then
+ echo "Migration has already completed. The placement database appears to have data."
+ exit 3
+elif [ $nova_present -eq 1 ]; then
+ echo "No data present in nova database - nothing to migrate (new deployment?)"
+ exit 4
+elif [ $nova_present -eq 2 ]; then
+ echo "Unable to proceed without connection to nova database"
+ exit 5
+elif [ $placement_present -eq 2 ]; then
+ echo "Unable to proceed without connection to placement database"
+ exit 5
+elif [ $placement_cli -eq 1 ]; then
+ echo "Unable to proceed without placement installed"
+ exit 6
+elif [ $placement_cli -eq 2 ]; then
+ echo "The 'placement-manage db version' command fails"
+ echo "Is placement.conf configured to access the new database?"
+ exit 6
+fi
+
+# If we get here, we expect to be able to migrate. Require them to opt into
+# actual migration before we do anything.
+
+echo Nova database contains data, placement database does not. Okay to proceed with migration
+
+if getflag migrate $*; then
+ if getflag skip-locks $*; then
+ migrate_data NOVA_API PLACEMENT "--skip-lock-tables --skip-add-locks"
+ else
+ migrate_data NOVA_API PLACEMENT
+ fi
+ placement-manage db stamp $INITIAL_PLACEMENT_DB_VERSION
+else
+ echo "To actually migrate, run me with --migrate"
+fi
+
+rm -f $LAST_MYSQL_ERR
diff --git a/charts/placement/templates/bin/_placement-api.sh.tpl b/charts/placement/templates/bin/_placement-api.sh.tpl
new file mode 100644
index 0000000..2b1b12d
--- /dev/null
+++ b/charts/placement/templates/bin/_placement-api.sh.tpl
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+
+ cp -a $(type -p placement-api) /var/www/cgi-bin/placement/
+
+ if [ -f /etc/apache2/envvars ]; then
+ # Loading Apache2 ENV variables
+ source /etc/apache2/envvars
+ # The directory below has to be created due to the fact that
+ # libapache2-mod-wsgi-py3 doesn't create it in contrary by libapache2-mod-wsgi
+ mkdir -p ${APACHE_RUN_DIR}
+ fi
+
+ # Get rid of stale pid file if present.
+ rm -f /var/run/apache2/*.pid
+
+ # Start Apache2
+ {{- if .Values.conf.software.apache2.a2enmod }}
+ {{- range .Values.conf.software.apache2.a2enmod }}
+ a2enmod {{ . }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.conf.software.apache2.a2dismod }}
+ {{- range .Values.conf.software.apache2.a2dismod }}
+ a2dismod {{ . }}
+ {{- end }}
+ {{- end }}
+ exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
+}
+
+function stop () {
+ if [ -f /etc/apache2/envvars ]; then
+ source /etc/apache2/envvars
+ fi
+ {{ .Values.conf.software.apache2.binary }} -k graceful-stop
+}
+
+$COMMAND
diff --git a/charts/placement/templates/certificates.yaml b/charts/placement/templates/certificates.yaml
new file mode 100644
index 0000000..ada7fde
--- /dev/null
+++ b/charts/placement/templates/certificates.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/charts/placement/templates/configmap-bin.yaml b/charts/placement/templates/configmap-bin.yaml
new file mode 100644
index 0000000..4fc59ce
--- /dev/null
+++ b/charts/placement/templates/configmap-bin.yaml
@@ -0,0 +1,43 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: placement-bin
+data:
+ placement-api.sh: |
+{{ tuple "bin/_placement-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+ db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+ db-migrate.sh: |
+{{ tuple "bin/_db-migrate.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+ ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+ ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+ mysql-migrate-db.sh: |
+{{ tuple "bin/_mysql-migrate-db.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/placement/templates/configmap-etc.yaml b/charts/placement/templates/configmap-etc.yaml
new file mode 100644
index 0000000..c5880af
--- /dev/null
+++ b/charts/placement/templates/configmap-etc.yaml
@@ -0,0 +1,71 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.placement.placement_database.connection -}}
+{{- $connection := tuple "oslo_db" "internal" "placement" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.placement.placement_database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.placement.placement_database "connection" $connection -}}
+{{- end -}}
+{{- end -}}
+
+{{- if empty .Values.conf.placement.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.placement.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.placement.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.placement.keystone_authtoken.os_region_name -}}
+{{- $_ := set .Values.conf.placement.keystone_authtoken "os_region_name" .Values.endpoints.identity.auth.placement.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.placement.keystone_authtoken "project_name" .Values.endpoints.identity.auth.placement.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.placement.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.placement.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.placement.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.placement.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.placement.keystone_authtoken "username" .Values.endpoints.identity.auth.placement.username -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.placement.keystone_authtoken "password" .Values.endpoints.identity.auth.placement.password -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.placement.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.placement.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.placement.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: placement-etc
+type: Opaque
+data:
+ policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+ placement.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.placement | b64enc }}
+ logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-placement.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
diff --git a/charts/placement/templates/deployment.yaml b/charts/placement/templates/deployment.yaml
new file mode 100644
index 0000000..9dcde00
--- /dev/null
+++ b/charts/placement/templates/deployment.yaml
@@ -0,0 +1,136 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment }}
+{{- $envAll := . }}
+
+{{- $mounts_placement := .Values.pod.mounts.placement.placement }}
+{{- $mounts_placement_init := .Values.pod.mounts.placement.init_container }}
+
+{{- $serviceAccountName := "placement-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: placement-api
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "placement" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.api }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "placement" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "placement" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "placement-api" "containerNames" (list "placement-api" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "placement" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ affinity:
+{{ tuple $envAll "placement" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.placement.enabled }}
+{{ tuple $envAll "placement" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "api" $mounts_placement_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: placement-api
+{{ tuple $envAll "placement" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "placement" "container" "placement_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/placement-api.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/placement-api.sh
+ - stop
+ ports:
+ - name: p-api
+ containerPort: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ readinessProbe:
+ # NOTE(portdirect): use tcpSocket check as HTTP will return 401
+ tcpSocket:
+ port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ initialDelaySeconds: 15
+ periodSeconds: 10
+ livenessProbe:
+ tcpSocket:
+ port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ initialDelaySeconds: 50
+ periodSeconds: 10
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: wsgi-placement
+ mountPath: /var/www/cgi-bin/placement
+ - name: placement-bin
+ mountPath: /tmp/placement-api.sh
+ subPath: placement-api.sh
+ readOnly: true
+ - name: placement-etc
+ mountPath: /etc/placement/placement.conf
+ subPath: placement.conf
+ readOnly: true
+ {{- if .Values.conf.placement.DEFAULT.log_config_append }}
+ - name: placement-etc
+ mountPath: {{ .Values.conf.placement.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.placement.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: placement-etc
+ mountPath: /etc/placement/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+ - name: placement-etc
+ mountPath: /etc/apache2/conf-enabled/wsgi-placement.conf
+ subPath: wsgi-placement.conf
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ if $mounts_placement.volumeMounts }}{{ toYaml $mounts_placement.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: wsgi-placement
+ emptyDir: {}
+ - name: placement-bin
+ configMap:
+ name: placement-bin
+ defaultMode: 0555
+ - name: placement-etc
+ secret:
+ secretName: placement-etc
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{ if $mounts_placement.volumes }}{{ toYaml $mounts_placement.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/placement/templates/ingress.yaml b/charts/placement/templates/ingress.yaml
new file mode 100644
index 0000000..68ce111
--- /dev/null
+++ b/charts/placement/templates/ingress.yaml
@@ -0,0 +1,25 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress .Values.network.api.ingress.public }}
+{{- $envAll := . -}}
+{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "placement" "backendPort" "p-api" -}}
+{{- $secretName := $envAll.Values.secrets.tls.placement.api.internal -}}
+{{- if and .Values.manifests.certificates $secretName -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.placement.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/placement/templates/job-db-drop.yaml b/charts/placement/templates/job-db-drop.yaml
new file mode 100644
index 0000000..f6e26e7
--- /dev/null
+++ b/charts/placement/templates/job-db-drop.yaml
@@ -0,0 +1,27 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $serviceName := "placement" -}}
+{{- $dbDropJob := dict "envAll" . "serviceName" $serviceName -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.placement.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/placement/templates/job-db-init.yaml b/charts/placement/templates/job-db-init.yaml
new file mode 100644
index 0000000..6edd417
--- /dev/null
+++ b/charts/placement/templates/job-db-init.yaml
@@ -0,0 +1,37 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $serviceName := "placement" -}}
+{{- $dbApi := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "placement_database" "configDbKey" "connection" -}}
+{{- $dbsToInit := list $dbApi }}
+{{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbsToInit" $dbsToInit -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}}
+{{- end }}
+{{- if .Values.pod.tolerations.placement.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/placement/templates/job-db-migrate.yaml b/charts/placement/templates/job-db-migrate.yaml
new file mode 100644
index 0000000..1b7f863
--- /dev/null
+++ b/charts/placement/templates/job-db-migrate.yaml
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_migrate }}
+{{- $envAll := . }}
+{{- $serviceAccountName := "placement-db-migrate" -}}
+{{- $service := "db_migrate" -}}
+{{ tuple $envAll $service $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: placement-db-migrate
+ labels:
+{{ tuple $envAll "placement" "db-migrate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+{{- if .Values.helm3_hook }}
+ helm.sh/hook: post-install,post-upgrade
+ helm.sh/hook-weight: "-4"
+{{- end }}
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "placement" $service | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ dict "envAll" $envAll "podName" "placement-db-migrate" "containerNames" (list "placement-mysql-migration" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "placement" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.placement.enabled }}
+{{ tuple $envAll "placement" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+ initContainers:
+{{ tuple $envAll $service list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: placement-mysql-migration
+{{ tuple $envAll $service | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "placement" "container" "placement_mysql_migration" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/db-migrate.sh
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: NOVA_API_USER
+ value: {{ .Values.endpoints.oslo_db.auth.nova_api.username | quote }}
+ - name: NOVA_API_PASS
+ value: {{ .Values.endpoints.oslo_db.auth.nova_api.password | quote }}
+ - name: NOVA_API_DB_HOST
+ value: {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" | quote }}
+ - name: PLACEMENT_USER
+ value: {{ .Values.endpoints.oslo_db.auth.placement.username | quote }}
+ - name: PLACEMENT_PASS
+ value: {{ .Values.endpoints.oslo_db.auth.placement.password | quote }}
+ - name: PLACEMENT_DB_HOST
+ value: {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" | quote }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: placement-bin
+ mountPath: /tmp/mysql-migrate-db.sh
+ subPath: mysql-migrate-db.sh
+ readOnly: true
+ - name: placement-bin
+ mountPath: /tmp/db-migrate.sh
+ subPath: db-migrate.sh
+ readOnly: true
+ - name: placement-etc
+ mountPath: /etc/placement/placement.conf
+ subPath: placement.conf
+ readOnly: true
+{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: placement-bin
+ configMap:
+ name: placement-bin
+ defaultMode: 0555
+ - name: placement-etc
+ secret:
+ secretName: placement-etc
+ defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/placement/templates/job-db-sync.yaml b/charts/placement/templates/job-db-sync.yaml
new file mode 100644
index 0000000..fea53d9
--- /dev/null
+++ b/charts/placement/templates/job-db-sync.yaml
@@ -0,0 +1,34 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "placement" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.placement.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/placement/templates/job-image-repo-sync.yaml b/charts/placement/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..2cda817
--- /dev/null
+++ b/charts/placement/templates/job-image-repo-sync.yaml
@@ -0,0 +1,30 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "placement" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
+{{- end }}
+{{- if .Values.pod.tolerations.placement.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/placement/templates/job-ks-endpoints.yaml b/charts/placement/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..111ba33
--- /dev/null
+++ b/charts/placement/templates/job-ks-endpoints.yaml
@@ -0,0 +1,34 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) -}}
+{{- end }}
+{{- if .Values.pod.tolerations.placement.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/placement/templates/job-ks-service.yaml b/charts/placement/templates/job-ks-service.yaml
new file mode 100644
index 0000000..10e45bd
--- /dev/null
+++ b/charts/placement/templates/job-ks-service.yaml
@@ -0,0 +1,34 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) -}}
+{{- end }}
+{{- if .Values.pod.tolerations.placement.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/placement/templates/job-ks-user.yaml b/charts/placement/templates/job-ks-user.yaml
new file mode 100644
index 0000000..2c1a002
--- /dev/null
+++ b/charts/placement/templates/job-ks-user.yaml
@@ -0,0 +1,34 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "placement" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
+{{- end -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
+{{- end }}
+{{- if .Values.pod.tolerations.placement.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/placement/templates/network_policy.yaml b/charts/placement/templates/network_policy.yaml
new file mode 100644
index 0000000..d4d209e
--- /dev/null
+++ b/charts/placement/templates/network_policy.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "placement" }}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/placement/templates/pdb.yaml b/charts/placement/templates/pdb.yaml
new file mode 100644
index 0000000..3d17a82
--- /dev/null
+++ b/charts/placement/templates/pdb.yaml
@@ -0,0 +1,29 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: placement-api
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "placement" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/placement/templates/secret-db.yaml b/charts/placement/templates/secret-db.yaml
new file mode 100644
index 0000000..91beb97
--- /dev/null
+++ b/charts/placement/templates/secret-db.yaml
@@ -0,0 +1,35 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "placement" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- if $envAll.Values.manifests.certificates }}
+ DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+ DB_CONNECTION: {{ $connection | b64enc -}}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/templates/secret-ingress-tls.yaml b/charts/placement/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000..49931c5
--- /dev/null
+++ b/charts/placement/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "placement" ) }}
+{{- end }}
diff --git a/charts/placement/templates/secret-keystone.yaml b/charts/placement/templates/secret-keystone.yaml
new file mode 100644
index 0000000..ce24aa2
--- /dev/null
+++ b/charts/placement/templates/secret-keystone.yaml
@@ -0,0 +1,30 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "placement" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/placement/templates/secret-registry.yaml b/charts/placement/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/placement/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/placement/templates/service-ingress.yaml b/charts/placement/templates/service-ingress.yaml
new file mode 100644
index 0000000..1eb19c2
--- /dev/null
+++ b/charts/placement/templates/service-ingress.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "placement" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/placement/templates/service.yaml b/charts/placement/templates/service.yaml
new file mode 100644
index 0000000..3d9bd01
--- /dev/null
+++ b/charts/placement/templates/service.yaml
@@ -0,0 +1,36 @@
+{{/*
+Copyright 2019 Intel Corporation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "placement" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: p-api
+ port: {{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.api.node_port.enabled }}
+ nodePort: {{ .Values.network.api.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "placement" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.api.node_port.enabled }}
+ type: NodePort
+ {{ end }}
+{{- end }}
diff --git a/charts/placement/values.yaml b/charts/placement/values.yaml
new file mode 100644
index 0000000..578d947
--- /dev/null
+++ b/charts/placement/values.yaml
@@ -0,0 +1,536 @@
+# Copyright 2019 Intel Corporation.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for openstack-placement.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+---
+release_group: null
+
+labels:
+ api:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ job:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+images:
+ pull_policy: IfNotPresent
+ tags:
+ placement: docker.io/openstackhelm/placement:stein-ubuntu_bionic
+ ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
+ db_migrate: quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic
+ placement_db_sync: docker.io/openstackhelm/placement:stein-ubuntu_bionic
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ image_repo_sync: docker.io/docker:17.07.0
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+network:
+ api:
+ port: 8778
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ external_policy_local: false
+ node_port:
+ enabled: false
+ port: 30778
+
+conf:
+ software:
+ apache2:
+ binary: apache2
+ start_parameters: -DFOREGROUND
+ # Enable/Disable modules
+ # a2enmod:
+ # - headers
+ # - rewrite
+ # a2dismod:
+ # - status
+ a2enmod: null
+ a2dismod: null
+ policy:
+ "context_is_admin": "role:admin"
+ "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s"
+ "default": "rule:admin_or_owner"
+ "admin_api": "role:admin"
+ "placement:resource_providers:list": "rule:admin_api"
+ "placement:resource_providers:create": "rule:admin_api"
+ "placement:resource_providers:show": "rule:admin_api"
+ "placement:resource_providers:update": "rule:admin_api"
+ "placement:resource_providers:delete": "rule:admin_api"
+ "placement:resource_classes:list": "rule:admin_api"
+ "placement:resource_classes:create": "rule:admin_api"
+ "placement:resource_classes:show": "rule:admin_api"
+ "placement:resource_classes:update": "rule:admin_api"
+ "placement:resource_classes:delete": "rule:admin_api"
+ "placement:resource_providers:inventories:list": "rule:admin_api"
+ "placement:resource_providers:inventories:create": "rule:admin_api"
+ "placement:resource_providers:inventories:show": "rule:admin_api"
+ "placement:resource_providers:inventories:update": "rule:admin_api"
+ "placement:resource_providers:inventories:delete": "rule:admin_api"
+ "placement:resource_providers:aggregates:list": "rule:admin_api"
+ "placement:resource_providers:aggregates:update": "rule:admin_api"
+ "placement:resource_providers:usages": "rule:admin_api"
+ "placement:usages": "rule:admin_api"
+ "placement:traits:list": "rule:admin_api"
+ "placement:traits:show": "rule:admin_api"
+ "placement:traits:update": "rule:admin_api"
+ "placement:traits:delete": "rule:admin_api"
+ "placement:resource_providers:traits:list": "rule:admin_api"
+ "placement:resource_providers:traits:update": "rule:admin_api"
+ "placement:resource_providers:traits:delete": "rule:admin_api"
+ "placement:allocations:manage": "rule:admin_api"
+ "placement:allocations:list": "rule:admin_api"
+ "placement:allocations:update": "rule:admin_api"
+ "placement:allocations:delete": "rule:admin_api"
+ "placement:resource_providers:allocations:list": "rule:admin_api"
+ "placement:allocation_candidates:list": "rule:admin_api"
+ "placement:reshaper:reshape": "rule:admin_api"
+ placement:
+ DEFAULT:
+ debug: false
+ use_syslog: false
+ log_config_append: /etc/placement/logging.conf
+ placement_database:
+ connection: null
+ keystone_authtoken:
+ auth_version: v3
+ auth_type: password
+ memcache_security_strategy: ENCRYPT
+ logging:
+ loggers:
+ keys:
+ - root
+ - placement
+ handlers:
+ keys:
+ - stdout
+ - stderr
+ - "null"
+ formatters:
+ keys:
+ - context
+ - default
+ logger_root:
+ level: WARNING
+ handlers: 'null'
+ logger_placement:
+ level: INFO
+ handlers:
+ - stdout
+ qualname: placement
+ logger_amqp:
+ level: WARNING
+ handlers: stderr
+ qualname: amqp
+ logger_amqplib:
+ level: WARNING
+ handlers: stderr
+ qualname: amqplib
+ logger_eventletwsgi:
+ level: WARNING
+ handlers: stderr
+ qualname: eventlet.wsgi.server
+ logger_sqlalchemy:
+ level: WARNING
+ handlers: stderr
+ qualname: sqlalchemy
+ logger_boto:
+ level: WARNING
+ handlers: stderr
+ qualname: boto
+ handler_null:
+ class: logging.NullHandler
+ formatter: default
+ args: ()
+ handler_stdout:
+ class: StreamHandler
+ args: (sys.stdout,)
+ formatter: context
+ handler_stderr:
+ class: StreamHandler
+ args: (sys.stderr,)
+ formatter: context
+ formatter_context:
+ class: oslo_log.formatters.ContextFormatter
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ formatter_default:
+ format: "%(message)s"
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ wsgi_placement: |
+ Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+ <VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
+ WSGIDaemonProcess placement-api processes=4 threads=1 user=placement group=placement display-name=%{GROUP}
+ WSGIProcessGroup placement-api
+ WSGIScriptAlias / /var/www/cgi-bin/placement/placement-api
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ <IfVersion >= 2.4>
+ ErrorLogFormat "%{cu}t %M"
+ </IfVersion>
+ ErrorLog /dev/stdout
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+ </VirtualHost>
+ Alias /placement /var/www/cgi-bin/placement/placement-api
+ <Location /placement>
+ SetHandler wsgi-script
+ Options +ExecCGI
+ WSGIProcessGroup placement-api
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ </Location>
+
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ oci_image_registry:
+ name: oci-image-registry
+ namespace: oci-image-registry
+ auth:
+ enabled: false
+ placement:
+ username: placement
+ password: password
+ hosts:
+ default: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ default: null
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ secret:
+ tls:
+ internal: mariadb-tls-direct
+ placement:
+ username: placement
+ password: password
+ # NOTE: This should be the username/password used to access the nova_api
+ # database. This is required only if database migration from nova to
+ # placement is desired.
+ nova_api:
+ username: nova
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /placement
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ oslo_cache:
+ auth:
+ # NOTE(portdirect): this is used to define the value for keystone
+ # authtoken cache encryption key, if not set it will be populated
+ # automatically with a random value, but to take advantage of
+ # this feature all services should be set to use the same key,
+ # and memcache service.
+ memcache_secret_key: null
+ hosts:
+ default: memcached
+ host_fqdn_override:
+ default: null
+ port:
+ memcache:
+ default: 11211
+ identity:
+ name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ placement:
+ role: admin
+ region_name: RegionOne
+ username: placement
+ password: password
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ hosts:
+ default: keystone
+ internal: keystone-api
+ host_fqdn_override:
+ default: null
+ path:
+ default: /v3
+ scheme:
+ default: http
+ port:
+ api:
+ default: 80
+ internal: 5000
+ placement:
+ name: placement
+ hosts:
+ default: placement-api
+ public: placement
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: 'http'
+ port:
+ api:
+ default: 8778
+ public: 80
+
+pod:
+ security_context:
+ placement:
+ pod:
+ runAsUser: 42424
+ container:
+ placement_api:
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+ placement_mysql_migration:
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ tolerations:
+ placement:
+ enabled: false
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ effect: NoSchedule
+ mounts:
+ placement:
+ init_container: null
+ placement:
+ volumeMounts:
+ volumes:
+ replicas:
+ api: 1
+ lifecycle:
+ upgrades:
+ deployments:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+ disruption_budget:
+ api:
+ min_available: 0
+ termination_grace_period:
+ api:
+ timeout: 30
+ resources:
+ enabled: false
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ db_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_drop:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_migrate:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_endpoints:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_service:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_user:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+
+secrets:
+ identity:
+ admin: placement-keystone-admin
+ placement: placement-keystone-user
+ oslo_db:
+ admin: placement-db-admin
+ placement: placement-db-user
+ tls:
+ placement:
+ api:
+ public: placement-tls-public
+ internal: placement-tls-api
+ oci_image_registry:
+ placement: placement-oci-image-registry
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ api:
+ jobs:
+ - placement-db-sync
+ - placement-ks-service
+ - placement-ks-user
+ - placement-ks-endpoints
+ ks_endpoints:
+ jobs:
+ - placement-ks-user
+ - placement-ks-service
+ services:
+ - endpoint: internal
+ service: identity
+ ks_service:
+ services:
+ - endpoint: internal
+ service: identity
+ ks_user:
+ services:
+ - endpoint: internal
+ service: identity
+ db_drop:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_init:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_migrate:
+ jobs:
+ - placement-db-init
+ - nova-db-sync
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_sync:
+ jobs:
+ - placement-db-init
+ # NOTE: This needs to be enabled if placement migration is required.
+ # - placement-db-migrate
+ services:
+ - endpoint: internal
+ service: oslo_db
+
+# NOTE(helm_hook): helm_hook might break for helm2 binary.
+# set helm3_hook: false when using the helm2 binary.
+helm3_hook: true
+
+manifests:
+ certificates: false
+ configmap_bin: true
+ configmap_etc: true
+ deployment: true
+ job_image_repo_sync: true
+ job_db_init: true
+ job_db_sync: true
+ job_db_drop: false
+ job_db_migrate: false
+ job_ks_endpoints: true
+ job_ks_service: true
+ job_ks_user: true
+ network_policy: false
+ secret_db: true
+ secret_ingress_tls: true
+ secret_registry: true
+ pdb: true
+ ingress: true
+ secret_keystone: true
+ service_ingress: true
+ service: true
+...
diff --git a/charts/placement/values_overrides/apparmor.yaml b/charts/placement/values_overrides/apparmor.yaml
new file mode 100644
index 0000000..84ca750
--- /dev/null
+++ b/charts/placement/values_overrides/apparmor.yaml
@@ -0,0 +1,14 @@
+---
+pod:
+ mandatory_access_control:
+ type: apparmor
+ placement-api:
+ placement-api: runtime/default
+ init: runtime/default
+ placement-db-migrate:
+ init: runtime/default
+ placement-mysql-migration: runtime/default
+
+manifests:
+ job_db_migrate: true
+...
diff --git a/charts/placement/values_overrides/netpol.yaml b/charts/placement/values_overrides/netpol.yaml
new file mode 100644
index 0000000..84557be
--- /dev/null
+++ b/charts/placement/values_overrides/netpol.yaml
@@ -0,0 +1,20 @@
+---
+manifests:
+ network_policy: true
+network_policy:
+ placement:
+ egress:
+ - {}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: nova
+ ports:
+ - protocol: TCP
+ port: 8778
+ - protocol: TCP
+ port: 80
+ - protocol: TCP
+ port: 8080
+...
diff --git a/charts/placement/values_overrides/tls.yaml b/charts/placement/values_overrides/tls.yaml
new file mode 100644
index 0000000..adfd359
--- /dev/null
+++ b/charts/placement/values_overrides/tls.yaml
@@ -0,0 +1,79 @@
+---
+network:
+ api:
+ ingress:
+ annotations:
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+conf:
+ software:
+ apache2:
+ a2enmod:
+ - ssl
+ placement:
+ keystone_authtoken:
+ cafile: /etc/placement/certs/ca.crt
+ wsgi_placement: |
+ Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+ <VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
+ ServerName {{ printf "%s.%s.svc.%s" "placement-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
+ WSGIDaemonProcess placement-api processes=4 threads=1 user=placement group=placement display-name=%{GROUP}
+ WSGIProcessGroup placement-api
+ WSGIScriptAlias / /var/www/cgi-bin/placement/placement-api
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ <IfVersion >= 2.4>
+ ErrorLogFormat "%{cu}t %M"
+ </IfVersion>
+ ErrorLog /dev/stdout
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+
+ SSLEngine on
+ SSLCertificateFile /etc/placement/certs/tls.crt
+ SSLCertificateKeyFile /etc/placement/certs/tls.key
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+ SSLHonorCipherOrder on
+ </VirtualHost>
+ Alias /placement /var/www/cgi-bin/placement/placement-api
+ <Location /placement>
+ SetHandler wsgi-script
+ Options +ExecCGI
+ WSGIProcessGroup placement-api
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ </Location>
+endpoints:
+ identity:
+ auth:
+ admin:
+ cacert: /etc/ssl/certs/openstack-helm.crt
+ placement:
+ cacert: /etc/ssl/certs/openstack-helm.crt
+ scheme:
+ default: https
+ port:
+ api:
+ default: 443
+ placement:
+ host_fqdn_override:
+ default:
+ tls:
+ secretName: placement-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ scheme:
+ default: https
+ port:
+ api:
+ public: 443
+manifests:
+ certificates: true
+...
diff --git a/charts/placement/values_overrides/train-ubuntu_bionic.yaml b/charts/placement/values_overrides/train-ubuntu_bionic.yaml
new file mode 100644
index 0000000..d721085
--- /dev/null
+++ b/charts/placement/values_overrides/train-ubuntu_bionic.yaml
@@ -0,0 +1,23 @@
+---
+images:
+ pull_policy: IfNotPresent
+ tags:
+ placement: "docker.io/openstackhelm/placement:train-ubuntu_bionic"
+ ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ ks_service: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ ks_endpoints: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
+ placement_db_sync: "docker.io/openstackhelm/placement:train-ubuntu_bionic"
+ dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ image_repo_sync: "docker.io/docker:17.07.0"
+manifests:
+ job_db_migrate: true
+dependencies:
+ static:
+ db_sync:
+ jobs:
+ - placement-db-init
+ - placement-db-migrate
+...
diff --git a/charts/placement/values_overrides/ussuri-ubuntu_bionic.yaml b/charts/placement/values_overrides/ussuri-ubuntu_bionic.yaml
new file mode 100644
index 0000000..6f19c55
--- /dev/null
+++ b/charts/placement/values_overrides/ussuri-ubuntu_bionic.yaml
@@ -0,0 +1,23 @@
+---
+images:
+ pull_policy: IfNotPresent
+ tags:
+ placement: "docker.io/openstackhelm/placement:ussuri-ubuntu_bionic"
+ ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ ks_service: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ ks_endpoints: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
+ placement_db_sync: "docker.io/openstackhelm/placement:ussuri-ubuntu_bionic"
+ dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ image_repo_sync: "docker.io/docker:17.07.0"
+manifests:
+ job_db_migrate: true
+dependencies:
+ static:
+ db_sync:
+ jobs:
+ - placement-db-init
+ - placement-db-migrate
+...
diff --git a/charts/placement/values_overrides/victoria-ubuntu_focal.yaml b/charts/placement/values_overrides/victoria-ubuntu_focal.yaml
new file mode 100644
index 0000000..1c94633
--- /dev/null
+++ b/charts/placement/values_overrides/victoria-ubuntu_focal.yaml
@@ -0,0 +1,23 @@
+---
+images:
+ pull_policy: IfNotPresent
+ tags:
+ placement: "docker.io/openstackhelm/placement:victoria-ubuntu_focal"
+ ks_user: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ ks_service: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ ks_endpoints: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
+ placement_db_sync: "docker.io/openstackhelm/placement:victoria-ubuntu_focal"
+ dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ image_repo_sync: "docker.io/docker:17.07.0"
+manifests:
+ job_db_migrate: true
+dependencies:
+ static:
+ db_sync:
+ jobs:
+ - placement-db-init
+ - placement-db-migrate
+...
diff --git a/charts/placement/values_overrides/wallaby-ubuntu_focal.yaml b/charts/placement/values_overrides/wallaby-ubuntu_focal.yaml
new file mode 100644
index 0000000..9122f5b
--- /dev/null
+++ b/charts/placement/values_overrides/wallaby-ubuntu_focal.yaml
@@ -0,0 +1,23 @@
+---
+images:
+ pull_policy: IfNotPresent
+ tags:
+ placement: "docker.io/openstackhelm/placement:wallaby-ubuntu_focal"
+ ks_user: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ ks_service: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ ks_endpoints: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
+ placement_db_sync: "docker.io/openstackhelm/placement:wallaby-ubuntu_focal"
+ dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ image_repo_sync: "docker.io/docker:17.07.0"
+manifests:
+ job_db_migrate: true
+dependencies:
+ static:
+ db_sync:
+ jobs:
+ - placement-db-init
+ - placement-db-migrate
+...
diff --git a/charts/placement/values_overrides/xena-ubuntu_focal.yaml b/charts/placement/values_overrides/xena-ubuntu_focal.yaml
new file mode 100644
index 0000000..c8355d9
--- /dev/null
+++ b/charts/placement/values_overrides/xena-ubuntu_focal.yaml
@@ -0,0 +1,23 @@
+---
+images:
+ pull_policy: IfNotPresent
+ tags:
+ placement: "docker.io/openstackhelm/placement:xena-ubuntu_focal"
+ ks_user: "docker.io/openstackhelm/heat:xena-ubuntu_focal"
+ ks_service: "docker.io/openstackhelm/heat:xena-ubuntu_focal"
+ ks_endpoints: "docker.io/openstackhelm/heat:xena-ubuntu_focal"
+ db_init: "docker.io/openstackhelm/heat:xena-ubuntu_focal"
+ db_drop: "docker.io/openstackhelm/heat:xena-ubuntu_focal"
+ db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
+ placement_db_sync: "docker.io/openstackhelm/placement:xena-ubuntu_focal"
+ dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ image_repo_sync: "docker.io/docker:17.07.0"
+manifests:
+ job_db_migrate: true
+dependencies:
+ static:
+ db_sync:
+ jobs:
+ - placement-db-init
+ - placement-db-migrate
+...
diff --git a/charts/placement/values_overrides/yoga-ubuntu_focal.yaml b/charts/placement/values_overrides/yoga-ubuntu_focal.yaml
new file mode 100644
index 0000000..b508709
--- /dev/null
+++ b/charts/placement/values_overrides/yoga-ubuntu_focal.yaml
@@ -0,0 +1,23 @@
+---
+images:
+ pull_policy: IfNotPresent
+ tags:
+ placement: "docker.io/openstackhelm/placement:yoga-ubuntu_focal"
+ ks_user: "docker.io/openstackhelm/heat:yoga-ubuntu_focal"
+ ks_service: "docker.io/openstackhelm/heat:yoga-ubuntu_focal"
+ ks_endpoints: "docker.io/openstackhelm/heat:yoga-ubuntu_focal"
+ db_init: "docker.io/openstackhelm/heat:yoga-ubuntu_focal"
+ db_drop: "docker.io/openstackhelm/heat:yoga-ubuntu_focal"
+ db_migrate: "quay.io/airshipit/porthole-mysqlclient-utility:latest-ubuntu_bionic"
+ placement_db_sync: "docker.io/openstackhelm/placement:yoga-ubuntu_focal"
+ dep_check: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ image_repo_sync: "docker.io/docker:17.07.0"
+manifests:
+ job_db_migrate: true
+dependencies:
+ static:
+ db_sync:
+ jobs:
+ - placement-db-init
+ - placement-db-migrate
+...
diff --git a/charts/senlin/Chart.yaml b/charts/senlin/Chart.yaml
new file mode 100644
index 0000000..e1614ff
--- /dev/null
+++ b/charts/senlin/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Senlin
+home: https://docs.openstack.org/senlin/latest/
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/Senlin/OpenStack_Project_Senlin_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: senlin
+sources:
+- https://opendev.org/openstack/senlin
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.6
diff --git a/charts/senlin/charts/helm-toolkit/Chart.yaml b/charts/senlin/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..d90280e
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.44
diff --git a/charts/senlin/charts/helm-toolkit/requirements.yaml b/charts/senlin/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/senlin/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..7846895
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,729 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network.server.ingress -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a authenticating a registry with a secret
+examples:
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/senlin/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..4294d40
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+ database, user, password, mysql_x509))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..87872d6
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,106 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..516d79e
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,514 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+ local A_FILE="$1"
+ awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f fd ]]; then
+ rm -f fd
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ fi
+ done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ get_backup_prefix $(cat $DB_BACKUP_FILES)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+ remove_old_remote_archives
+ done
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f8-
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+ - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/senlin/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/senlin/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_template.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/senlin/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/senlin/charts/helm-toolkit/values.yaml b/charts/senlin/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/senlin/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/senlin/requirements.lock b/charts/senlin/requirements.lock
new file mode 100644
index 0000000..8fc523d
--- /dev/null
+++ b/charts/senlin/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: 0.2.44
+digest: sha256:d3a834e34152bf30319ac30e116adc128b474ca63bbbe0fb323a7a2365a56455
+generated: "2022-08-10T23:42:35.775397606Z"
diff --git a/charts/senlin/requirements.yaml b/charts/senlin/requirements.yaml
new file mode 100644
index 0000000..4124d01
--- /dev/null
+++ b/charts/senlin/requirements.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: ">= 0.1.0"
diff --git a/charts/senlin/templates/bin/_bootstrap.sh.tpl b/charts/senlin/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 0000000..6452d0a
--- /dev/null
+++ b/charts/senlin/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
diff --git a/charts/senlin/templates/bin/_db-sync.sh.tpl b/charts/senlin/templates/bin/_db-sync.sh.tpl
new file mode 100644
index 0000000..7577969
--- /dev/null
+++ b/charts/senlin/templates/bin/_db-sync.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+senlin-manage db_sync
diff --git a/charts/senlin/templates/bin/_senlin-api.sh.tpl b/charts/senlin/templates/bin/_senlin-api.sh.tpl
new file mode 100644
index 0000000..e7de2c1
--- /dev/null
+++ b/charts/senlin/templates/bin/_senlin-api.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+COMMAND="${@:-start}"
+
+function start () {
+ exec senlin-api \
+ --config-file /etc/senlin/senlin.conf
+}
+
+function stop () {
+ kill -TERM 1
+}
+
+$COMMAND
diff --git a/charts/senlin/templates/bin/_senlin-conductor.sh.tpl b/charts/senlin/templates/bin/_senlin-conductor.sh.tpl
new file mode 100644
index 0000000..ea120a6
--- /dev/null
+++ b/charts/senlin/templates/bin/_senlin-conductor.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec senlin-conductor \
+ --config-file /etc/senlin/senlin.conf
\ No newline at end of file
diff --git a/charts/senlin/templates/bin/_senlin-engine-cleaner.sh.tpl b/charts/senlin/templates/bin/_senlin-engine-cleaner.sh.tpl
new file mode 100644
index 0000000..a345f12
--- /dev/null
+++ b/charts/senlin/templates/bin/_senlin-engine-cleaner.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+senlin-manage service clean
diff --git a/charts/senlin/templates/bin/_senlin-engine.sh.tpl b/charts/senlin/templates/bin/_senlin-engine.sh.tpl
new file mode 100644
index 0000000..f4ba64b
--- /dev/null
+++ b/charts/senlin/templates/bin/_senlin-engine.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec senlin-engine \
+ --config-file /etc/senlin/senlin.conf
diff --git a/charts/senlin/templates/bin/_senlin-health-manager.sh.tpl b/charts/senlin/templates/bin/_senlin-health-manager.sh.tpl
new file mode 100644
index 0000000..b19779a
--- /dev/null
+++ b/charts/senlin/templates/bin/_senlin-health-manager.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+exec senlin-health-manager \
+ --config-file /etc/senlin/senlin.conf
\ No newline at end of file
diff --git a/charts/senlin/templates/bin/_senlin-test.sh.tpl b/charts/senlin/templates/bin/_senlin-test.sh.tpl
new file mode 100644
index 0000000..7b3e264
--- /dev/null
+++ b/charts/senlin/templates/bin/_senlin-test.sh.tpl
@@ -0,0 +1,139 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+# Set defaults to use for testing.
+: ${IMAGE_ID:="$(openstack image show -f value -c id \
+ $(openstack image list -f csv | awk -F ',' '{ print $2 "," $1 }' | \
+ grep "^\"Cirros" | head -1 | awk -F ',' '{ print $2 }' | tr -d '"'))"}
+: ${FLAVOR_ID:="$(openstack flavor show m1.tiny -f value -c id)"}
+: ${NETWORK_NAME:="public"}
+: ${SUB_TIMEOUT:=1200}
+
+# Define functions to use during tests.
+function gen_uuid () {
+ cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1
+}
+
+function wait_for_senlin_cluster {
+ set +x
+ end=$(($(date +%s) + ${SUB_TIMEOUT}))
+ while true; do
+ STATE=$(openstack cluster show "${1}" -f value -c status)
+ [ "x${STATE}" == "xACTIVE" ] && break
+ sleep 1
+ now=$(date +%s)
+ [ $now -gt $end ] && echo "Node did not come up in time" && openstack cluster show "${1}" && exit -1
+ done
+ set -x
+ openstack cluster show "${1}"
+}
+
+function wait_for_senlin_node {
+ set +x
+ end=$(($(date +%s) + ${SUB_TIMEOUT}))
+ while true; do
+ STATE=$(openstack cluster node show "${1}" -f value -c status)
+ [ "x${STATE}" == "xACTIVE" ] && break
+ sleep 1
+ now=$(date +%s)
+ [ $now -gt $end ] && echo "Node did not come up in time" && openstack cluster node show "${1}" && exit -1
+ done
+ set -x
+ openstack cluster node show "${1}"
+}
+
+function wait_for_senlin_profile_delete {
+ set +x
+ end=$(($(date +%s) + ${SUB_TIMEOUT}))
+ until openstack cluster profile delete "${1}" --force; do
+ sleep 1
+ now=$(date +%s)
+ [ $now -gt $end ] && echo "Profile did not delete in time" && exit -1
+ done
+ set -x
+}
+
+# Start test run.
+SENLIN_CLUSTER_PROFILE=$(gen_uuid)
+SENLIN_CLUSTER_NAME=$(gen_uuid)
+SENLIN_NODE_NAME=$(gen_uuid)
+
+# Create a cluster profile.
+tee > /tmp/cirros_basic.yaml <<EOF
+type: os.nova.server
+version: 1.0
+properties:
+ name: osh-test
+ flavor: "${FLAVOR_ID}"
+ image: "${IMAGE_ID}"
+ #key_name: oskey
+ networks:
+ - network: ${NETWORK_NAME}
+ metadata:
+ test_key: test_value
+ user_data: |
+ #!/bin/sh
+ echo 'hello, world' > /tmp/test_file
+EOF
+openstack cluster profile create --spec-file /tmp/cirros_basic.yaml "${SENLIN_CLUSTER_PROFILE}"
+
+# Create a 0 node cluster using the profile.
+# NOTE(portdirect): There is a bug in the Newton era osc/senlin client
+# interaction, so we fall back to calling senlin client directly to create
+# a cluster, before outright failing.
+openstack cluster create --profile "${SENLIN_CLUSTER_PROFILE}" "${SENLIN_CLUSTER_NAME}" || \
+ senlin cluster-create -p "${SENLIN_CLUSTER_PROFILE}" "${SENLIN_CLUSTER_NAME}" || false
+
+# Resize the cluster to contain a node.
+openstack cluster resize --capacity 1 "${SENLIN_CLUSTER_NAME}"
+wait_for_senlin_cluster "${SENLIN_CLUSTER_NAME}"
+
+# Expand the cluster by one node.
+openstack cluster expand "${SENLIN_CLUSTER_NAME}"
+wait_for_senlin_cluster "${SENLIN_CLUSTER_NAME}"
+
+# Shrink the cluster by one node.
+openstack cluster shrink "${SENLIN_CLUSTER_NAME}"
+wait_for_senlin_cluster "${SENLIN_CLUSTER_NAME}"
+
+# Create a single node using the cluster profile.
+# NOTE(portdirect): There is a bug in the Newton era osc/senlin client
+# interaction, so we fall back to calling senlin client directly to create
+# a node, before outright failing.
+openstack cluster node create --profile "${SENLIN_CLUSTER_PROFILE}" "${SENLIN_NODE_NAME}" || \
+ senlin node-create -p "${SENLIN_CLUSTER_PROFILE}" "${SENLIN_NODE_NAME}" || false
+wait_for_senlin_node "${SENLIN_NODE_NAME}"
+
+# Add the node to the cluster.
+openstack cluster members add --nodes "${SENLIN_NODE_NAME}" "${SENLIN_CLUSTER_NAME}"
+openstack cluster members list "${SENLIN_CLUSTER_NAME}"
+wait_for_senlin_cluster "${SENLIN_CLUSTER_NAME}"
+wait_for_senlin_node "${SENLIN_NODE_NAME}"
+
+# Remove the node from the cluster.
+openstack cluster members del --nodes "${SENLIN_NODE_NAME}" "${SENLIN_CLUSTER_NAME}"
+openstack cluster members list "${SENLIN_CLUSTER_NAME}"
+wait_for_senlin_cluster "${SENLIN_CLUSTER_NAME}"
+wait_for_senlin_node "${SENLIN_NODE_NAME}"
+
+# Cleanup the resources created.
+openstack cluster node delete "${SENLIN_NODE_NAME}" --force
+openstack cluster delete "${SENLIN_CLUSTER_NAME}" --force
+wait_for_senlin_profile_delete "${SENLIN_CLUSTER_PROFILE}"
+
+echo 'Tests Passed'
diff --git a/charts/senlin/templates/configmap-bin.yaml b/charts/senlin/templates/configmap-bin.yaml
new file mode 100644
index 0000000..1236ddc
--- /dev/null
+++ b/charts/senlin/templates/configmap-bin.yaml
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+{{- $rallyTests := .Values.conf.rally_tests }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: senlin-bin
+data:
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+{{- if .Values.bootstrap.enabled }}
+ bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+ senlin-test.sh: |
+{{ tuple "bin/_senlin-test.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+ db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+ ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+ ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+ ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+ senlin-api.sh: |
+{{ tuple "bin/_senlin-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ senlin-conductor.sh: |
+{{ tuple "bin/_senlin-conductor.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ senlin-engine.sh: |
+{{ tuple "bin/_senlin-engine.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ senlin-engine-cleaner.sh: |
+{{ tuple "bin/_senlin-engine-cleaner.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ senlin-health-manager.sh: |
+{{ tuple "bin/_senlin-health-manager.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ rabbit-init.sh: |
+{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
+{{- end }}
diff --git a/charts/senlin/templates/configmap-etc.yaml b/charts/senlin/templates/configmap-etc.yaml
new file mode 100644
index 0000000..a47a3a4
--- /dev/null
+++ b/charts/senlin/templates/configmap-etc.yaml
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+{{- if empty .Values.conf.senlin.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.senlin.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+
+# FIXME(alanmeadows) fix for broken keystonemiddleware oslo config gen in newton - will remove in future
+{{- if empty .Values.conf.senlin.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.senlin.keystone_authtoken "auth_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.senlin.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "region_name" .Values.endpoints.identity.auth.senlin.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "project_name" .Values.endpoints.identity.auth.senlin.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.senlin.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.senlin.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "username" .Values.endpoints.identity.auth.senlin.username -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "password" .Values.endpoints.identity.auth.senlin.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.senlin.keystone_authtoken.memcached_servers -}}
+{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.senlin.keystone_authtoken "memcached_servers" -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
+{{- if empty .Values.conf.senlin.database.connection -}}
+{{- $_ := tuple "oslo_db" "internal" "senlin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.senlin.database "connection" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.senlin.DEFAULT.transport_url -}}
+{{- $_ := tuple "oslo_messaging" "internal" "senlin" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.senlin.DEFAULT "transport_url" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.senlin.senlin_api.bind_port -}}
+{{- $_ := tuple "clustering" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.senlin.senlin_api "bind_port" -}}
+{{- end -}}
+
+{{- if empty .Values.conf.senlin.authentication.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.senlin.authentication "auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.authentication.service_password -}}
+{{- $_ := set .Values.conf.senlin.authentication "service_password" .Values.endpoints.identity.auth.senlin.password -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.authentication.service_project_domain -}}
+{{- $_ := set .Values.conf.senlin.authentication "service_project_domain" .Values.endpoints.identity.auth.senlin.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.authentication.service_project_name -}}
+{{- $_ := set .Values.conf.senlin.authentication "service_project_name" .Values.endpoints.identity.auth.senlin.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.authentication.service_user_domain -}}
+{{- $_ := set .Values.conf.senlin.authentication "service_user_domain" .Values.endpoints.identity.auth.senlin.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.authentication.service_username -}}
+{{- $_ := set .Values.conf.senlin.authentication "service_username" .Values.endpoints.identity.auth.senlin.username -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
+{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
+{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
+{{- end -}}
+
+{{- if and (empty .Values.conf.logging.formatter_fluent) (has "fluent" .Values.conf.logging.formatters.keys) -}}
+{{- $formatter_fluent := dict "class" "oslo_log.formatters.FluentFormatter" -}}
+{{- $_ := set .Values.conf.logging "formatter_fluent" $formatter_fluent -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: senlin-etc
+type: Opaque
+data:
+ rally_tests.yaml: {{ toYaml .Values.conf.rally_tests.tests | b64enc }}
+ senlin.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.senlin | b64enc }}
+ logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
+ api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
+ policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
+{{- end }}
diff --git a/charts/senlin/templates/cron-job-engine-cleaner.yaml b/charts/senlin/templates/cron-job-engine-cleaner.yaml
new file mode 100644
index 0000000..cae292e
--- /dev/null
+++ b/charts/senlin/templates/cron-job-engine-cleaner.yaml
@@ -0,0 +1,91 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.cron_job_engine_cleaner }}
+{{- $envAll := . }}
+
+{{- $mounts_senlin_engine_cleaner := .Values.pod.mounts.senlin_engine_cleaner.senlin_engine_cleaner }}
+{{- $mounts_senlin_engine_cleaner_init := .Values.pod.mounts.senlin_engine_cleaner.init_container }}
+
+{{- $serviceAccountName := "senlin-engine-cleaner" }}
+{{ tuple $envAll "engine_cleaner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+ name: senlin-engine-cleaner
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ schedule: {{ .Values.jobs.engine_cleaner.cron | quote }}
+ successfulJobsHistoryLimit: {{ .Values.jobs.engine_cleaner.history.success }}
+ failedJobsHistoryLimit: {{ .Values.jobs.engine_cleaner.history.failed }}
+ concurrencyPolicy: Forbid
+ jobTemplate:
+ metadata:
+ labels:
+{{ tuple $envAll "senlin" "engine-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ spec:
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "senlin" "engine-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ nodeSelector:
+ {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "engine_cleaner" $mounts_senlin_engine_cleaner_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+ containers:
+ - name: senlin-engine-cleaner
+{{ tuple $envAll "senlin_engine_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.engine_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+ command:
+ - /tmp/senlin-engine-cleaner.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: senlin-bin
+ mountPath: /tmp/senlin-engine-cleaner.sh
+ subPath: senlin-engine-cleaner.sh
+ readOnly: true
+ - name: etcsenlin
+ mountPath: /etc/senlin
+ - name: senlin-etc
+ mountPath: /etc/senlin/senlin.conf
+ subPath: senlin.conf
+ readOnly: true
+ {{- if .Values.conf.senlin.DEFAULT.log_config_append }}
+ - name: senlin-etc
+ mountPath: {{ .Values.conf.senlin.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.senlin.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+{{ if $mounts_senlin_engine_cleaner.volumeMounts }}{{ toYaml $mounts_senlin_engine_cleaner.volumeMounts | indent 16 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: etcsenlin
+ emptyDir: {}
+ - name: senlin-etc
+ secret:
+ secretName: senlin-etc
+ defaultMode: 0444
+ - name: senlin-bin
+ configMap:
+ name: senlin-bin
+ defaultMode: 0555
+{{ if $mounts_senlin_engine_cleaner.volumes }}{{ toYaml $mounts_senlin_engine_cleaner.volumes | indent 12 }}{{ end }}
+{{- end }}
diff --git a/charts/senlin/templates/deployment-api.yaml b/charts/senlin/templates/deployment-api.yaml
new file mode 100644
index 0000000..d6577ff
--- /dev/null
+++ b/charts/senlin/templates/deployment-api.yaml
@@ -0,0 +1,126 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_senlin_api := .Values.pod.mounts.senlin_api.senlin_api }}
+{{- $mounts_senlin_api_init := .Values.pod.mounts.senlin_api.init_container }}
+
+{{- $serviceAccountName := "senlin-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: senlin-api
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "senlin" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.api }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "senlin" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "senlin" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "senlin" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
+ terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
+ initContainers:
+{{ tuple $envAll "api" $mounts_senlin_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: senlin-api
+{{ tuple $envAll "senlin_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ securityContext:
+ runAsUser: {{ .Values.pod.user.senlin.uid }}
+ command:
+ - /tmp/senlin-api.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/senlin-api.sh
+ - stop
+ ports:
+ - name: s-api
+ containerPort: {{ tuple "clustering" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ readinessProbe:
+ httpGet:
+ scheme: HTTP
+ path: /
+ port: {{ tuple "clustering" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ initialDelaySeconds: 15
+ periodSeconds: 10
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: senlin-bin
+ mountPath: /tmp/senlin-api.sh
+ subPath: senlin-api.sh
+ readOnly: true
+ - name: pod-etc-senlin
+ mountPath: /etc/senlin
+ - name: pod-var-cache-senlin
+ mountPath: /var/cache/senlin
+ - name: senlin-etc
+ mountPath: /etc/senlin/senlin.conf
+ subPath: senlin.conf
+ readOnly: true
+ {{- if .Values.conf.senlin.DEFAULT.log_config_append }}
+ - name: senlin-etc
+ mountPath: {{ .Values.conf.senlin.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.senlin.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: senlin-etc
+ mountPath: /etc/senlin/api-paste.ini
+ subPath: api-paste.ini
+ readOnly: true
+ - name: senlin-etc
+ mountPath: /etc/senlin/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+{{ if $mounts_senlin_api.volumeMounts }}{{ toYaml $mounts_senlin_api.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-senlin
+ emptyDir: {}
+ - name: pod-var-cache-senlin
+ emptyDir: {}
+ - name: senlin-bin
+ configMap:
+ name: senlin-bin
+ defaultMode: 0555
+ - name: senlin-etc
+ secret:
+ secretName: senlin-etc
+ defaultMode: 0444
+{{ if $mounts_senlin_api.volumes }}{{ toYaml $mounts_senlin_api.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/senlin/templates/deployment-conductor.yaml b/charts/senlin/templates/deployment-conductor.yaml
new file mode 100644
index 0000000..d60ada4
--- /dev/null
+++ b/charts/senlin/templates/deployment-conductor.yaml
@@ -0,0 +1,102 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_conductor }}
+{{- $envAll := . }}
+
+{{- $mounts_senlin_conductor := .Values.pod.mounts.senlin_conductor.senlin_conductor }}
+{{- $mounts_senlin_conductor_init := .Values.pod.mounts.senlin_conductor.init_container }}
+
+{{- $serviceAccountName := "senlin-conductor" }}
+{{ tuple $envAll "conductor" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: senlin-conductor
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "senlin" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.conductor }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "senlin" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "senlin" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "senlin" "conductor" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.conductor.node_selector_key }}: {{ .Values.labels.conductor.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "conductor" $mounts_senlin_conductor_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: senlin-conductor
+{{ tuple $envAll "senlin_conductor" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ securityContext:
+ runAsUser: {{ .Values.pod.user.senlin.uid }}
+ command:
+ - /tmp/senlin-conductor.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: senlin-bin
+ mountPath: /tmp/senlin-conductor.sh
+ subPath: senlin-conductor.sh
+ readOnly: true
+ - name: pod-etc-senlin
+ mountPath: /etc/senlin
+ - name: senlin-etc
+ mountPath: /etc/senlin/senlin.conf
+ subPath: senlin.conf
+ readOnly: true
+ {{- if .Values.conf.senlin.DEFAULT.log_config_append }}
+ - name: senlin-etc
+ mountPath: {{ .Values.conf.senlin.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.senlin.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: senlin-etc
+ mountPath: /etc/senlin/policy.json
+ subPath: policy.json
+ readOnly: true
+{{ if $mounts_senlin_conductor.volumeMounts }}{{ toYaml $mounts_senlin_conductor.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-senlin
+ emptyDir: {}
+ - name: pod-var-cache-senlin
+ emptyDir: {}
+ - name: senlin-bin
+ configMap:
+ name: senlin-bin
+ defaultMode: 0555
+ - name: senlin-etc
+ secret:
+ secretName: senlin-etc
+ defaultMode: 0444
+{{ if $mounts_senlin_conductor.volumes }}{{ toYaml $mounts_senlin_conductor.volumes | indent 8 }}{{ end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/senlin/templates/deployment-engine.yaml b/charts/senlin/templates/deployment-engine.yaml
new file mode 100644
index 0000000..06ed768
--- /dev/null
+++ b/charts/senlin/templates/deployment-engine.yaml
@@ -0,0 +1,99 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_engine }}
+{{- $envAll := . }}
+
+{{- $mounts_senlin_engine := .Values.pod.mounts.senlin_engine.senlin_engine }}
+{{- $mounts_senlin_engine_init := .Values.pod.mounts.senlin_engine.init_container }}
+
+{{- $serviceAccountName := "senlin-engine" }}
+{{ tuple $envAll "engine" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: senlin-engine
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "senlin" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.engine }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "senlin" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "senlin" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "senlin" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.engine.node_selector_key }}: {{ .Values.labels.engine.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "engine" $mounts_senlin_engine_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: senlin-engine
+{{ tuple $envAll "senlin_engine" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ securityContext:
+ runAsUser: {{ .Values.pod.user.senlin.uid }}
+ command:
+ - /tmp/senlin-engine.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: senlin-bin
+ mountPath: /tmp/senlin-engine.sh
+ subPath: senlin-engine.sh
+ readOnly: true
+ - name: pod-etc-senlin
+ mountPath: /etc/senlin
+ - name: senlin-etc
+ mountPath: /etc/senlin/senlin.conf
+ subPath: senlin.conf
+ readOnly: true
+ {{- if .Values.conf.senlin.DEFAULT.log_config_append }}
+ - name: senlin-etc
+ mountPath: {{ .Values.conf.senlin.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.senlin.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: senlin-etc
+ mountPath: /etc/senlin/policy.yaml
+ subPath: policy.yaml
+ readOnly: true
+{{ if $mounts_senlin_engine.volumeMounts }}{{ toYaml $mounts_senlin_engine.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-senlin
+ emptyDir: {}
+ - name: senlin-bin
+ configMap:
+ name: senlin-bin
+ defaultMode: 0555
+ - name: senlin-etc
+ secret:
+ secretName: senlin-etc
+ defaultMode: 0444
+{{ if $mounts_senlin_engine.volumes }}{{ toYaml $mounts_senlin_engine.volumes | indent 8 }}{{ end }}
+{{- end }}
diff --git a/charts/senlin/templates/deployment-health-manager.yaml b/charts/senlin/templates/deployment-health-manager.yaml
new file mode 100644
index 0000000..e081c36
--- /dev/null
+++ b/charts/senlin/templates/deployment-health-manager.yaml
@@ -0,0 +1,102 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_health_manager }}
+{{- $envAll := . }}
+
+{{- $mounts_senlin_health_manager := .Values.pod.mounts.senlin_health_manager.senlin_health_manager }}
+{{- $mounts_senlin_health_manager_init := .Values.pod.mounts.senlin_health_manager.init_container }}
+
+{{- $serviceAccountName := "senlin-health-manager" }}
+{{ tuple $envAll "health_manager" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: senlin-health-manager
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "senlin" "health_manager" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.health_manager }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "senlin" "health_manager" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "senlin" "health_manager" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{ tuple $envAll "senlin" "health_manager" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.health_manager.node_selector_key }}: {{ .Values.labels.health_manager.node_selector_value }}
+ initContainers:
+{{ tuple $envAll "health_manager" $mounts_senlin_health_manager_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: senlin-health-manager
+{{ tuple $envAll "senlin_health_manager" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.health_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ securityContext:
+ runAsUser: {{ .Values.pod.user.senlin.uid }}
+ command:
+ - /tmp/senlin-health-manager.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: senlin-bin
+ mountPath: /tmp/senlin-health-manager.sh
+ subPath: senlin-health-manager.sh
+ readOnly: true
+ - name: pod-etc-senlin
+ mountPath: /etc/senlin
+ - name: senlin-etc
+ mountPath: /etc/senlin/senlin.conf
+ subPath: senlin.conf
+ readOnly: true
+ {{- if .Values.conf.senlin.DEFAULT.log_config_append }}
+ - name: senlin-etc
+ mountPath: {{ .Values.conf.senlin.DEFAULT.log_config_append }}
+ subPath: {{ base .Values.conf.senlin.DEFAULT.log_config_append }}
+ readOnly: true
+ {{- end }}
+ - name: senlin-etc
+ mountPath: /etc/senlin/policy.json
+ subPath: policy.json
+ readOnly: true
+{{ if $mounts_senlin_health_manager.volumeMounts }}{{ toYaml $mounts_senlin_health_manager.volumeMounts | indent 12 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: pod-etc-senlin
+ emptyDir: {}
+ - name: pod-var-cache-senlin
+ emptyDir: {}
+ - name: senlin-bin
+ configMap:
+ name: senlin-bin
+ defaultMode: 0555
+ - name: senlin-etc
+ secret:
+ secretName: senlin-etc
+ defaultMode: 0444
+{{ if $mounts_senlin_health_manager.volumes }}{{ toYaml $mounts_senlin_health_manager.volumes | indent 8 }}{{ end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/senlin/templates/ingress-api.yaml b/charts/senlin/templates/ingress-api.yaml
new file mode 100644
index 0000000..f38bda6
--- /dev/null
+++ b/charts/senlin/templates/ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "clustering" "backendPort" "s-api" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-bootstrap.yaml b/charts/senlin/templates/job-bootstrap.yaml
new file mode 100644
index 0000000..b50c6cd
--- /dev/null
+++ b/charts/senlin/templates/job-bootstrap.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
+{{- $bootstrapJob := dict "envAll" . "serviceName" "senlin" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.senlin.DEFAULT.log_config_append -}}
+{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-db-drop.yaml b/charts/senlin/templates/job-db-drop.yaml
new file mode 100644
index 0000000..41735b4
--- /dev/null
+++ b/charts/senlin/templates/job-db-drop.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "senlin" -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-db-init.yaml b/charts/senlin/templates/job-db-init.yaml
new file mode 100644
index 0000000..47822ad
--- /dev/null
+++ b/charts/senlin/templates/job-db-init.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-5"
+{{- end }}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "senlin" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
+{{- end }}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-db-sync.yaml b/charts/senlin/templates/job-db-sync.yaml
new file mode 100644
index 0000000..7e5f0ba
--- /dev/null
+++ b/charts/senlin/templates/job-db-sync.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.db_sync" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "senlin" "podVolMounts" .Values.pod.mounts.senlin_db_sync.senlin_db_sync.volumeMounts "podVols" .Values.pod.mounts.senlin_db_sync.senlin_db_sync.volumes -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
+{{- end }}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-image-repo-sync.yaml b/charts/senlin/templates/job-image-repo-sync.yaml
new file mode 100644
index 0000000..d5b87b1
--- /dev/null
+++ b/charts/senlin/templates/job-image-repo-sync.yaml
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.repo_sync" }}
+helm.sh/hook: post-install,post-upgrade
+{{- end }}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "senlin" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
+{{- end }}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-ks-endpoints.yaml b/charts/senlin/templates/job-ks-endpoints.yaml
new file mode 100644
index 0000000..8c8b2e3
--- /dev/null
+++ b/charts/senlin/templates/job-ks-endpoints.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_endpoints" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-2"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
+{{- end }}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-ks-service.yaml b/charts/senlin/templates/job-ks-service.yaml
new file mode 100644
index 0000000..0012d88
--- /dev/null
+++ b/charts/senlin/templates/job-ks-service.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_service" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-3"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
+{{- end }}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-ks-user.yaml b/charts/senlin/templates/job-ks-user.yaml
new file mode 100644
index 0000000..aa86dc1
--- /dev/null
+++ b/charts/senlin/templates/job-ks-user.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.ks_user" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-1"
+{{- end }}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "senlin" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
+{{- end }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
diff --git a/charts/senlin/templates/job-rabbit-init.yaml b/charts/senlin/templates/job-rabbit-init.yaml
new file mode 100644
index 0000000..eca7f03
--- /dev/null
+++ b/charts/senlin/templates/job-rabbit-init.yaml
@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "metadata.annotations.job.rabbit_init" }}
+helm.sh/hook: post-install,post-upgrade
+helm.sh/hook-weight: "-4"
+{{- end }}
+
+{{- if .Values.manifests.job_rabbit_init }}
+{{- $rmqUserJob := dict "envAll" . "serviceName" "senlin" -}}
+{{- if .Values.helm3_hook }}
+{{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
+{{- end }}
+{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
+{{- end }}
diff --git a/charts/senlin/templates/network_policy.yaml b/charts/senlin/templates/network_policy.yaml
new file mode 100644
index 0000000..0066c79
--- /dev/null
+++ b/charts/senlin/templates/network_policy.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "senlin" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/charts/senlin/templates/pdb-api.yaml b/charts/senlin/templates/pdb-api.yaml
new file mode 100644
index 0000000..15a2a45
--- /dev/null
+++ b/charts/senlin/templates/pdb-api.yaml
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pdb_api }}
+{{- $envAll := . }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: senlin-api
+spec:
+ minAvailable: {{ .Values.pod.lifecycle.disruption_budget.api.min_available }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "senlin" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{- end }}
diff --git a/charts/senlin/templates/pod-test.yaml b/charts/senlin/templates/pod-test.yaml
new file mode 100644
index 0000000..05a65cf
--- /dev/null
+++ b/charts/senlin/templates/pod-test.yaml
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_test }}
+{{- $envAll := . }}
+
+{{- $mounts_senlin_tests := .Values.pod.mounts.senlin_tests.senlin_tests }}
+{{- $mounts_senlin_tests_init := .Values.pod.mounts.senlin_tests.init_container }}
+
+{{- $serviceAccountName := print .Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{.Release.Name}}-test"
+ labels:
+{{ tuple $envAll "senlin" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ annotations:
+ "helm.sh/hook": test-success
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ nodeSelector:
+ {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+ restartPolicy: Never
+ initContainers:
+{{ tuple $envAll "tests" $mounts_senlin_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+ containers:
+ - name: {{.Release.Name}}-senlin-test
+{{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 6 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+ command:
+ - /tmp/senlin-test.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: senlin-bin
+ mountPath: /tmp/senlin-test.sh
+ subPath: senlin-test.sh
+ readOnly: true
+{{ if $mounts_senlin_tests.volumeMounts }}{{ toYaml $mounts_senlin_tests.volumeMounts | indent 8 }}{{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: senlin-bin
+ configMap:
+ name: senlin-bin
+ defaultMode: 0555
+{{ if $mounts_senlin_tests.volumes }}{{ toYaml $mounts_senlin_tests.volumes | indent 4 }}{{ end }}
+{{- end }}
diff --git a/charts/senlin/templates/secret-db.yaml b/charts/senlin/templates/secret-db.yaml
new file mode 100644
index 0000000..0e3e472
--- /dev/null
+++ b/charts/senlin/templates/secret-db.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_db }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "senlin" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/templates/secret-keystone.yaml b/charts/senlin/templates/secret-keystone.yaml
new file mode 100644
index 0000000..4a553ea
--- /dev/null
+++ b/charts/senlin/templates/secret-keystone.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "senlin" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/templates/secret-rabbitmq.yaml b/charts/senlin/templates/secret-rabbitmq.yaml
new file mode 100644
index 0000000..a7390c6
--- /dev/null
+++ b/charts/senlin/templates/secret-rabbitmq.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_rabbitmq }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "senlin" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/senlin/templates/service-api.yaml b/charts/senlin/templates/service-api.yaml
new file mode 100644
index 0000000..e4e3787
--- /dev/null
+++ b/charts/senlin/templates/service-api.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_api }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "clustering" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: s-api
+ port: {{ tuple "clustering" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{ if .Values.network.api.node_port.enabled }}
+ nodePort: {{ .Values.network.api.node_port.port }}
+ {{ end }}
+ selector:
+{{ tuple $envAll "senlin" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+ {{ if .Values.network.api.node_port.enabled }}
+ type: NodePort
+ {{ end }}
+{{- end }}
diff --git a/charts/senlin/templates/service-ingress-api.yaml b/charts/senlin/templates/service-ingress-api.yaml
new file mode 100644
index 0000000..5f8d9cf
--- /dev/null
+++ b/charts/senlin/templates/service-ingress-api.yaml
@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "clustering" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/charts/senlin/values.yaml b/charts/senlin/values.yaml
new file mode 100644
index 0000000..b245bd3
--- /dev/null
+++ b/charts/senlin/values.yaml
@@ -0,0 +1,749 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for senlin.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+labels:
+ api:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ conductor:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ engine:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ health_manager:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ job:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ test:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+
+release_group: null
+
+images:
+ tags:
+ scripted_test: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ senlin_db_sync: docker.io/openstackhelm/senlin:wallaby-ubuntu_focal
+ db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ rabbit_init: docker.io/rabbitmq:3.7-management
+ ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ senlin_api: docker.io/openstackhelm/senlin:wallaby-ubuntu_focal
+ senlin_conductor: docker.io/openstackhelm/senlin:wallaby-ubuntu_focal
+ senlin_engine: docker.io/openstackhelm/senlin:wallaby-ubuntu_focal
+ senlin_engine_cleaner: docker.io/openstackhelm/senlin:wallaby-ubuntu_focal
+ senlin_health_manager: docker.io/openstackhelm/senlin:wallaby-ubuntu_focal
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ image_repo_sync: docker.io/docker:17.07.0
+ pull_policy: "IfNotPresent"
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+jobs:
+ engine_cleaner:
+ cron: "*/5 * * * *"
+ history:
+ success: 3
+ failed: 1
+
+conf:
+ rally_tests:
+ run_tempest: false
+ tests:
+ SenlinClusters.create_and_delete_cluster:
+ - args:
+ desired_capacity: 3
+ min_size: 0
+ max_size: 5
+ runner:
+ concurrency: 1
+ times: 1
+ type: constant
+ sla:
+ failure_rate:
+ max: 0
+ context:
+ profiles:
+ type: os.nova.server
+ version: "1.0"
+ properties:
+ name: cirros_server
+ flavor: 689eeda3-c6cd-450f-b000-58025c783763
+ image: df0c1a14-0940-4ae5-be5c-bb06aa407da2
+ networks:
+ - network: public
+ paste:
+ pipeline:senlin-api:
+ pipeline: request_id faultwrap ssl versionnegotiation webhook authtoken context trust apiv1app
+ app:apiv1app:
+ paste.app_factory: senlin.api.common.wsgi:app_factory
+ senlin.app_factory: senlin.api.openstack.v1.router:API
+ filter:request_id:
+ paste.filter_factory: oslo_middleware.request_id:RequestId.factory
+ filter:faultwrap:
+ paste.filter_factory: senlin.api.common.wsgi:filter_factory
+ senlin.filter_factory: senlin.api.middleware:fault_filter
+ filter:context:
+ paste.filter_factory: senlin.api.common.wsgi:filter_factory
+ senlin.filter_factory: senlin.api.middleware:context_filter
+ filter:ssl:
+ paste.filter_factory: oslo_middleware.ssl:SSLMiddleware.factory
+ filter:versionnegotiation:
+ paste.filter_factory: senlin.api.common.wsgi:filter_factory
+ senlin.filter_factory: senlin.api.middleware:version_filter
+ filter:trust:
+ paste.filter_factory: senlin.api.common.wsgi:filter_factory
+ senlin.filter_factory: senlin.api.middleware:trust_filter
+ filter:webhook:
+ paste.filter_factory: senlin.api.common.wsgi:filter_factory
+ senlin.filter_factory: senlin.api.middleware:webhook_filter
+ filter:authtoken:
+ paste.filter_factory: keystonemiddleware.auth_token:filter_factory
+ policy:
+ context_is_admin: role:admin
+ deny_everybody: "!"
+ build_info:build_info: ''
+ profile_types:index: ''
+ profile_types:get: ''
+ policy_types:index: ''
+ policy_types:get: ''
+ clusters:index: ''
+ clusters:create: ''
+ clusters:delete: ''
+ clusters:get: ''
+ clusters:action: ''
+ clusters:update: ''
+ clusters:collect: ''
+ profiles:index: ''
+ profiles:create: ''
+ profiles:get: ''
+ profiles:delete: ''
+ profiles:update: ''
+ profiles:validate: ''
+ nodes:index: ''
+ nodes:create: ''
+ nodes:get: ''
+ nodes:action: ''
+ nodes:update: ''
+ nodes:delete: ''
+ policies:index: ''
+ policies:create: ''
+ policies:get: ''
+ policies:update: ''
+ policies:delete: ''
+ policies:validate: ''
+ cluster_policies:index: ''
+ cluster_policies:attach: ''
+ cluster_policies:detach: ''
+ cluster_policies:update: ''
+ cluster_policies:get: ''
+ receivers:index: ''
+ receivers:create: ''
+ receivers:get: ''
+ receivers:delete: ''
+ actions:index: ''
+ actions:get: ''
+ events:index: ''
+ events:get: ''
+ webhooks:trigger: ''
+ senlin:
+ DEFAULT:
+ log_config_append: /etc/senlin/logging.conf
+ transport_url: null
+ host: senlin
+ database:
+ max_retries: -1
+ authentication:
+ auth_url: null
+ keystone_authtoken:
+ auth_type: password
+ auth_version: v3
+ memcache_security_strategy: ENCRYPT
+ senlin_api:
+ # NOTE(portdirect): the bind port should not be defined, and is manipulated
+ # via the endpoints section.
+ bind_port: null
+ oslo_policy:
+ policy_file: /etc/senlin/policy.yaml
+ logging:
+ loggers:
+ keys:
+ - root
+ - senlin
+ handlers:
+ keys:
+ - stdout
+ - stderr
+ - "null"
+ formatters:
+ keys:
+ - context
+ - default
+ logger_root:
+ level: WARNING
+ handlers: 'null'
+ logger_senlin:
+ level: INFO
+ handlers:
+ - stdout
+ qualname: senlin
+ logger_amqp:
+ level: WARNING
+ handlers: stderr
+ qualname: amqp
+ logger_amqplib:
+ level: WARNING
+ handlers: stderr
+ qualname: amqplib
+ logger_eventletwsgi:
+ level: WARNING
+ handlers: stderr
+ qualname: eventlet.wsgi.server
+ logger_sqlalchemy:
+ level: WARNING
+ handlers: stderr
+ qualname: sqlalchemy
+ logger_boto:
+ level: WARNING
+ handlers: stderr
+ qualname: boto
+ handler_null:
+ class: logging.NullHandler
+ formatter: default
+ args: ()
+ handler_stdout:
+ class: StreamHandler
+ args: (sys.stdout,)
+ formatter: context
+ handler_stderr:
+ class: StreamHandler
+ args: (sys.stderr,)
+ formatter: context
+ formatter_context:
+ class: oslo_log.formatters.ContextFormatter
+ datefmt: "%Y-%m-%d %H:%M:%S"
+ formatter_default:
+ format: "%(message)s"
+ datefmt: "%Y-%m-%d %H:%M:%S"
+
+network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ node_port:
+ enabled: false
+ port: 30778
+
+bootstrap:
+ enabled: false
+ ks_user: senlin
+ script: |
+ openstack token issue
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - senlin-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ engine_cleaner:
+ jobs:
+ - senlin-db-sync
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: oslo_messaging
+ - endpoint: internal
+ service: identity
+ api:
+ jobs:
+ - senlin-db-sync
+ - senlin-ks-user
+ - senlin-ks-endpoints
+ - senlin-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: oslo_messaging
+ db_drop:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_init:
+ services:
+ - endpoint: internal
+ service: oslo_db
+ db_sync:
+ jobs:
+ - senlin-db-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ engine:
+ jobs:
+ - senlin-db-sync
+ - senlin-ks-user
+ - senlin-ks-endpoints
+ - senlin-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ conductor:
+ jobs:
+ - senlin-db-sync
+ - senlin-ks-user
+ - senlin-ks-endpoints
+ - senlin-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ health_manager:
+ jobs:
+ - senlin-db-sync
+ - senlin-ks-user
+ - senlin-ks-endpoints
+ - senlin-rabbit-init
+ services:
+ - endpoint: internal
+ service: oslo_db
+ - endpoint: internal
+ service: identity
+ ks_endpoints:
+ jobs:
+ - senlin-ks-service
+ services:
+ - endpoint: internal
+ service: identity
+ ks_service:
+ services:
+ - endpoint: internal
+ service: identity
+ ks_user:
+ services:
+ - endpoint: internal
+ service: identity
+ rabbit_init:
+ services:
+ - endpoint: internal
+ service: oslo_messaging
+ tests:
+ services:
+ - endpoint: internal
+ service: identity
+ - endpoint: internal
+ service: clustering
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: senlin-keystone-admin
+ senlin: senlin-keystone-user
+ oslo_db:
+ admin: senlin-db-admin
+ senlin: senlin-db-user
+ oslo_messaging:
+ admin: senlin-rabbitmq-admin
+ senlin: senlin-rabbitmq-user
+
+# typically overridden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ identity:
+ name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ senlin:
+ role: admin
+ region_name: RegionOne
+ username: senlin
+ password: password
+ project_name: service
+ user_domain_name: service
+ project_domain_name: service
+ test:
+ role: admin
+ region_name: RegionOne
+ username: senlin-test
+ password: password
+ project_name: test
+ user_domain_name: service
+ project_domain_name: service
+ hosts:
+ default: keystone
+ internal: keystone-api
+ host_fqdn_override:
+ default: null
+ path:
+ default: /v3
+ scheme:
+ default: http
+ port:
+ api:
+ default: 80
+ internal: 5000
+ clustering:
+ name: senlin
+ hosts:
+ default: senlin-api
+ public: senlin
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme:
+ default: http
+ port:
+ api:
+ default: 8778
+ public: 80
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ senlin:
+ username: senlin
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /senlin
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+ oslo_cache:
+ auth:
+ # NOTE(portdirect): this is used to define the value for keystone
+ # authtoken cache encryption key, if not set it will be populated
+ # automatically with a random value, but to take advantage of
+ # this feature all services should be set to use the same key,
+ # and memcache service.
+ memcache_secret_key: null
+ hosts:
+ default: memcached
+ host_fqdn_override:
+ default: null
+ port:
+ memcache:
+ default: 11211
+ oslo_messaging:
+ auth:
+ admin:
+ username: rabbitmq
+ password: password
+ senlin:
+ username: senlin
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /senlin
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ http:
+ default: 15672
+ fluentd:
+ namespace: null
+ name: fluentd
+ hosts:
+ default: fluentd-logging
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: 'http'
+ port:
+ service:
+ default: 24224
+ metrics:
+ default: 24220
+
+pod:
+ user:
+ senlin:
+ uid: 42424
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ weight:
+ default: 10
+ mounts:
+ senlin_api:
+ init_container: null
+ senlin_api:
+ volumeMounts:
+ volumes:
+ senlin_conductor:
+ init_container: null
+ senlin_conductor:
+ volumeMounts:
+ volumes:
+ senlin_engine:
+ init_container: null
+ senlin_engine:
+ volumeMounts:
+ volumes:
+ senlin_health_manager:
+ init_container: null
+ senlin_health_manager:
+ volumeMounts:
+ volumes:
+ senlin_bootstrap:
+ init_container: null
+ senlin_bootstrap:
+ volumeMounts:
+ volumes:
+ senlin_engine_cleaner:
+ init_container: null
+ senlin_engine_cleaner:
+ volumeMounts:
+ volumes:
+ senlin_tests:
+ init_container: null
+ senlin_tests:
+ volumeMounts:
+ volumes:
+ senlin_db_sync:
+ senlin_db_sync:
+ volumeMounts:
+ volumes:
+ replicas:
+ api: 1
+ conductor: 1
+ engine: 1
+ health_manager: 1
+ lifecycle:
+ upgrades:
+ deployments:
+ revision_history: 3
+ pod_replacement_strategy: RollingUpdate
+ rolling_update:
+ max_unavailable: 1
+ max_surge: 3
+ disruption_budget:
+ api:
+ min_available: 0
+ termination_grace_period:
+ api:
+ timeout: 30
+ resources:
+ enabled: false
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ conductor:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ engine:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ health_manager:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ bootstrap:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ db_drop:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_endpoints:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_service:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ks_user:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ rabbit_init:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ tests:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ engine_cleaner:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+
+network_policy:
+ senlin:
+ ingress:
+ - {}
+ egress:
+ - {}
+
+helm3_hook: true
+
+manifests:
+ configmap_bin: true
+ configmap_etc: true
+ cron_job_engine_cleaner: true
+ deployment_api: true
+ deployment_conductor: true
+ deployment_engine: true
+ deployment_health_manager: true
+ ingress_api: true
+ job_bootstrap: true
+ job_db_init: true
+ job_db_sync: true
+ job_db_drop: false
+ job_image_repo_sync: true
+ job_ks_endpoints: true
+ job_ks_service: true
+ job_ks_user: true
+ job_rabbit_init: true
+ pdb_api: true
+ pod_test: true
+ network_policy: false
+ secret_db: true
+ secret_keystone: true
+ secret_rabbitmq: true
+ service_ingress_api: true
+ service_api: true
+...
diff --git a/hack/sync-charts.sh b/hack/sync-charts.sh
index 1f473b6..eddc2e3 100755
--- a/hack/sync-charts.sh
+++ b/hack/sync-charts.sh
@@ -23,19 +23,9 @@
# Determine the root path for Atmosphere
ATMOSPHERE="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." >/dev/null 2>&1 && pwd )"
-# Create work directory to avoid cluttering up workspace
-WORKDIR=$(mktemp -d)
-function cleanup {
- rm -rfv ${WORKDIR}
-}
-trap cleanup EXIT
-
# Clean-up all of the existing charts
rm -rfv ${ATMOSPHERE}/charts/*
-# Switch to folder where we will be syncing charts
-pushd ${WORKDIR}
-
CILIUM_VERSION=1.10.7
curl -sL https://helm.cilium.io/cilium-${CILIUM_VERSION}.tgz \
| tar -xz -C ${ATMOSPHERE}/charts
@@ -76,5 +66,70 @@
curl -sL https://github.com/coredns/helm/releases/download/coredns-${COREDNS_VERSION}/coredns-${COREDNS_VERSION}.tgz \
| tar -xz -C ${ATMOSPHERE}/charts
-# Switch back to original directory
-popd
+MEMCACHED_VERSION=0.1.12
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm-infra/memcached-${MEMCACHED_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+KEYSTONE_VERSION=0.2.19
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/keystone-${KEYSTONE_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+BARBICAN_VERSION=0.2.12
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/barbican-${BARBICAN_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+CEPH_PROVISIONERS_VERSION=0.1.8
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm-infra/ceph-provisioners-${CEPH_PROVISIONERS_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+GLANCE_VERSION=0.4.1
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/glance-${GLANCE_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+CINDER_VERSION=0.2.25
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/cinder-${CINDER_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+PLACEMENT_VERSION=0.2.10
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/placement-${PLACEMENT_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+OPEN_VSWITCH_VERSION=0.1.10
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm-infra/openvswitch-${OPEN_VSWITCH_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+LIBVIRT_VERSION=0.1.8
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm-infra/libvirt-${LIBVIRT_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+NEUTRON_VERSION=0.3.2
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/neutron-${NEUTRON_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+NOVA_VERISON=0.2.32
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/nova-${NOVA_VERISON}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+SENLIN_VERSION=0.2.6
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/senlin-${SENLIN_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+DESIGNATE_VERSION=0.2.7
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/designate-${DESIGNATE_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+HEAT_VERSION=0.2.8
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/heat-${HEAT_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+OCTAVIA_VERSION=0.2.5
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/octavia-${OCTAVIA_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+MAGNUM_VERSION=0.2.8
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/magnum-${MAGNUM_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+
+HORIZON_VERSION=0.2.24
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm/horizon-${HORIZON_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts